When you enable ECMP, IKE and IPSec traffic originating
at the firewall by default egresses an interface that an ECMP load-balancing
method determines. Alternatively, you can ensure that IKE and IPSec
traffic originating at the firewall always egresses the physical
interface to which the source IP address of the IPSec tunnel belongs,
by enabling Strict Source Path. You would enable this function when
the firewall has more than one ISP providing equal-cost paths to
the same destination. ISPs typically perform a reverse Path Forwarding
(RPF) check (or a different check to prevent IP address spoofing)
to confirm that traffic is egressing the same interface on which
it arrived. Because ECMP would choose an egress interface based on
the configured ECMP method (instead of choosing the source interface
as the egress interface), that wouldn’t be what the ISP expects
and the ISP could block legitimate return traffic. In this case,
enable Strict Source Path so that the firewall uses the egress interface
that is the interface to which the source IP address of the IPSec
tunnel belongs, the RPF check succeeds, and the ISP allows the return
traffic.