topic Re: FTD HA setup using multi-wan ECMP load balancing in Network Security

FTD HA setup using multi-wan ECMP load balancing

paul-d — Wed, 19 Jun 2024 21:00:26 GMT

Hi I have a concern with using Equal Cost Multi-Path for dual WAN to be able to use both WAN connections concurrently, however my concern is how a public website will respond if it sees connections coming from different public IP addresses.

If each WAN interface is using a different public IP for Network Address Translation (NAT), the source IP address seen by the destination website could vary, leading to potential issues such as session instability or rejection potentially.

Is my concern valid? and does the FTD have any kind of "sticky" function to ensure all connections to a single website use the same egress interface?

Re: FTD HA setup using multi-wan ECMP load balancing

paul-d — Wed, 19 Jun 2024 21:17:50 GMT

after i RTFM

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221692-configure-ecmp-with-ip-sla-on-ftd-manage.html

Traffic is load balanced among the specified gateways based on an algorithm that hashes the source and destination IP addresses, incoming interface, protocol, source and destination ports. when you run the test, the traffic you simulate can be routed to the same gateway due to the hash algorithm, this is expected, change any value among the 6 tuples (source IP, Destination IP, incoming interface, protocol, source port, destination port) to make change on the hash result.

Re: FTD HA setup using multi-wan ECMP load balancing

Rob Ingram — Wed, 19 Jun 2024 21:18:22 GMT

@paul-d the FTD will load balance the traffic over the different interfaces and unless the route is lost the connection will stay routed via the same interface. Therefore the destination website will see that connection coming from the same NAT IP.

It won't matter if another connection (from a different (user/device) is made to the same destination website from another FTD interface, that connection will be routed via the same interface until the connection ends.

Re: FTD HA setup using multi-wan ECMP load balancing

MHM Cisco World — Wed, 19 Jun 2024 21:46:33 GMT

The ftd to forward traffic check below in order

1- conn

2- nat

3- rib

So if Outside clinet access via Out1 of FTD and FTD have defualt route via Out2 the ftd will use Out1 not Out2 for retrun traffic' since conn come before rib.

So dont worry about that point

MHM

Re: FTD HA setup using multi-wan ECMP load balancing

tvotna — Thu, 20 Jun 2024 16:23:32 GMT

@paul-d, your concern is partially valid in a sense that destination host will see connections coming from different source IP addresses, although this typically shouldn't break things. Unlike other load-distribution methods, e.g. L2 port-channels, the ASA/FTD ECMP hashing algorithm is unconfigurable and always uses 6-tuple to distribute connections:

CSCuq99153 ENH: ASA should have a configurable load-balance algorithm for ECMP

Re: FTD HA setup using multi-wan ECMP load balancing

MHM Cisco World — Thu, 20 Jun 2024 16:29:38 GMT

and more
if the Inside client access internet using OUT2 the traffic will NAT and web server will reply to public IP of OUT2 and not return traffic to OUT1
and again there is no asym traffic
so both case client out or in the traffic return from same point

MHM