ECMP Strict Source Path

Enable ECMP Strict Source Path when ECMP load balancing can interfere with an ISP verifying an expected source IP address.
When you Configure ECMP on a virtual router, IKE and IPSec traffic
originating at the firewall
by default egresses an interface that the ECMP load-balancing method determines. This can be an issue when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a Reverse Path Forwarding (RPF) check to confirm that the traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the load balancing method, that wouldn’t be the interface that the ISP expects and the ISP could block legitimate return traffic.
To avoid this issue, you can now ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs by enabling
Strict Source Path
  1. Select
    Virtual Routers
    and select a virtual router.
  2. Select
    Router Settings
  3. Enable
  4. Enable
    Strict Source Path
  5. Click
  6. Commit

Recommended For You