topic Re: A question about ECMP in General Topics

A question about ECMP

459768405 — Wed, 09 Apr 2025 11:11:10 GMT

Hi，

I saw a function named ecmp on palo alto NGFW, I think that it can make outbound traffic load balance on two or more physics line or logic line. And I also saw there was a inbound interface information in the session table of firewall.

So I want to know if there are two out line on the firewall and connect to outside network named port1 and port2. Maybe they are all in the untrust zone, and then we open the ecmp function on virtual router of firewall, of course we have two ecmp routes with the same metric. At that time if there is a traffic transmit from inside network to outside, the syn packet transmit by port1, but the syn+ack answer packet received by port2, will there have a problem caused by outcome port is different to income port? Will the syn+ack packet forward or discard? Will our session table check the information about income or outcome port? I need your help, Thanks! By the way, I only know a little English, So if you can’t understand what I mean, please leave a comment, I’ll explain more about this question, Thank you!

Re: A question about ECMP

OtakarKlier — Wed, 09 Apr 2025 16:02:38 GMT

Hello,

Hope this can answer your questions.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH0CAK

The traffic should return the same port it was sent out from.

Regards,

Re: A question about ECMP

459768405 — Wed, 09 Apr 2025 16:17:15 GMT

hi,

Thanks for your answer, but I think if we use ECMP, we can't control which port that the return packet( for example like a syn+ack packet) select, if the route let the packet select a different port with the port which transmit the syn packet, will the firewall discard the syn+ack packet caused of session table mismarch or another reason?

Best Wishes

Re: A question about ECMP

reaper — Thu, 10 Apr 2025 10:45:14 GMT

if you have all your ECMP interfaces set in the same zone (e.g. Untrust) the firewall will accept returning packets on the 'wrong' (not egress) interface

Re: A question about ECMP

OtakarKlier — Thu, 10 Apr 2025 18:39:19 GMT

Hello,

What @reaper said. Here is an article that goes over what I think you are wanting to deploy.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

Regards,

Re: A question about ECMP

459768405 — Fri, 11 Apr 2025 02:01:46 GMT

Yeah! Thank you for your answer, I knew this concept now, and I also make a experimentation about this question. The conclusion is same with your answer. By the way, if I user the vlan interface replace physical L3 interface, and two ecmp vlan interface are in the same security zone but user different vlan tag, will the conclusion same? I mean will the firewall accept returning packets that has a different vlan tag with the request packets?

Re: A question about ECMP

459768405 — Fri, 11 Apr 2025 03:58:43 GMT

Hi,

Thank you for your help, I try the part for this document(use ecmp between two different zones) but with out the source nat config, it doesn't work. maybe we should use nat in this context.

Best Wishes

Re: A question about ECMP

reaper — Wed, 23 Apr 2025 09:54:18 GMT

if you're egressing out of different zones you need to configure source nat or make sure there is no asymmetric return

asymmetric return is not supported if your egress interfaces have different zones

Re: A question about ECMP

459768405 — Wed, 23 Apr 2025 09:57:55 GMT

yes that's true, thanks about your help, I know it now, you are so skillful.