03-31-2026 12:48 PM - edited 03-31-2026 12:50 PM
Hi @Metgatz - You are right ! This setup works as long as you have ECMP supported and enabled on the peer end as well.
For instance, I have PA firewall terminating dual ISP's and I have equal cost default routes (0.0.0.0/0) pointing to each ISP's. I have enabled ECMP and listed only these physical interfaces to load balance the internet traffic.
Then I am creating a couple of IPSEC tunnels via each ISP and the peer is AWS. I would like to load balance this IPSEC traffic over these two tunnels. I just need to enable ECMP on the AWS to load balance the traffic over both the tunnels. I don't require any extra config on the PA firewall.
We should not list tunnel interfaces in the ECMP but only the physical interfaces. ECMP is enabled globally. Lets say Palo Alto receives two equal cost routes from AWS over both the tunnel using BGP, these two equal cost routes will be installed in the FIB even though tunnel interfaces are not listed in the ECMP. Because ECMP interface list applies only to physical next-hop routes, not tunnel routes. Its recommended to enable strict source path on the PA firewall & symmetric return on both the peers.
So as long as you have equal cost routes pointing to tunnel interfaces, the IPSEC traffic gets load balanced over both the tunnels. The normal internet traffic gets load balanced using the equal cost default routes.
