- Network > Virtual Routers > Router Settings > ECMP
Use the following fields to configure equal-cost multi-path (ECMP) settings.
Enabling, disabling, or changing ECMP on an existing virtual router causes the system to restart the virtual router, which sometimes results in the termination of existing sessions.
Symmetric Returnto cause return packets to egress out the same interface on which the associated ingress packets arrived. This configures the firewall to use the ingress interface when sending return packets instead of the ECMP interface, which means that the
Symmetric Returnsetting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
Strict Source Path
By default, IKE and IPSec traffic originating at the firewall egresses an interface that the ECMP load-balancing method determines. Select
Strict Source Pathto ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs. Enable Strict Source Path when the firewall has more than one ISP providing equal-cost paths to the same destination. The ISPs typically perform a Reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that the traffic is egressing the same interface on which it arrived. Because ECMP by default chooses an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that will not be what the ISP expects and the ISP can block legitimate return traffic. In this use case, enable
Strict Source Pathso that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs.
Select the maximum number of equal-cost paths: (2, 3, or 4) to a destination network that can be copied from the RIB to the FIB (default is 2).
Choose one of the following ECMP load-balancing algorithms to use on the virtual router. ECMP load balancing is done at the session level, not at the packet level. This means that the firewall (ECMP) chooses an equal-cost path at the start of a new session, not each time a packet is received.
Recommended For You
Recommended videos not found.