In ECMP settings there is Strict Source Path option to enable. But I can't find any descriptin about this option anywhere. Anyone knows what exactly does this option do?
Solved! Go to Solution.
This has been bugging me since it was posted. I was finally able to do enough digging and found the answer.
Strict Source Path is a feature of the ECMP specification, rather than a feature unique to Palo Alto Networks. There are 2 types of source routing with ECMP, loose and strict.
Check the following RFC, section 3.1. The subsections are titled "Loose Source and Record Route" and "Strict Source and Record Route".
Both require options in the IP header. Loose (type=131) is by far the most common, but some environments will need strict (type=137).
Thanks, i also had this query.
It may be not relevent here, but appreciate if you can clarify me in this option, I can see 'symmetric return' under ECMP option, is this a alternative option for symmetric return in dual ISP failover/ECMP scenario ?. i have seen in dual ISP scenarios, poeple were using PBF for symmetric return enforcement.
So if i have web services running inside and ECMP is enabled in dual ISP scenario, i just need to enable this option instead of doing PBF and select ' symmetric return' ?
@Abdul_Razaq they're related, but do different things in their own context. The PBF option is when you could have asymmetric routes, whereas in ECMP it overrides the inherent load balancing that ECMP provides. Both of the following are pulled from the inline help on the firewall from their respective sections:
Symmetric return in ECMP
Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface, so the Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
Symmetric return in PBF
"strict source path" means no ECMP. It applies to firewall originated IKE/IPsec traffic. Traffic will be sent out over the tunnel based on which tunnel the source address belong to. It has nothing to do with real "source routing". It does not affect transit traffic. Similar to "symetric return" it is an exception of ECMP hashing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!