01-19-2026 06:46 PM
We have (2) equal cost L3 links from our Nexus core switches to an upstream Palo edge firewall HA pair, active/passive. On the firewall, this is an aggregation ethernet with layer 3 subinterfaces defined. There is an SVI on each Nexus switch for routing with a layer 2 port-channel to a breakout switch in between the firewall and core, and we are using OSPF. We suspect there may be some asymmetric routing issues where we see flows such as TCP non-syn in global counters incrementing on the firewall, and due to some application throughput issues. We want to influence path selection so that the primary L3 link is always used. I have attached a high-level diagram of the topology.
We are planning to adjust cost on the Palo by changing the OSPF metric to a higher metric on the secondary link, and also adjusting the cost on the Nexus switch SVI for the secondary link to a higher cost. Currently, we do not have ECMP enabled. Has anyone experienced a similar issue and resolve it by adjusting the OSPF metric, or by enabling ECMP?
01-21-2026 01:48 AM - edited 01-21-2026 02:10 AM
Hello,
We had the same problem once. I'm not sure we are in the same situation here but i m pretty sure the solution you said will be ok.
Shortly : indeed u have to change the ospf cost.
We put an OSPF cost higher on the nexus backup link and a higher metric on our ospf links on the palo alto connected to this nexus. All of this was related to the nexus doing a hashing thing... We had some asymetric packets and some others not.
Hope it helps !
01-21-2026 01:50 AM
For the ecmp answer : i don't know at all. I m currently working on migrating these links for ebgp links with ECMP but one sentence scared me : https://docs.paloaltonetworks.com/ngfw/networking/ecmp
'ECMP is supported on all Palo Alto Networks® firewall models, also with hardware forwarding support on the PA-7000 Series, PA-5200 Series, and PA-3200 Series. VM-Series firewalls support ECMP through software only. Performance is affected for sessions that cannot be hardware offloaded. '
01-23-2026 11:40 AM
Hello,
I agree with changing the cost metric. I use high numbers for the metric like 10000. That way the algorhythm will always chose the path I want.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
