Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
3
Helpful
7
Replies

ECMP behaviour on FMC managed FTD 7.2.4

Go to solution
atsukane
Level 1
Level 1

‎01-29-2024 03:29 AM

Hi All,,

We've just enabled ECMP with two 1Gbps AWS direct connect links over the weekend.

The ECMP zone is created in the global routing table, we didn't use VRF, and added equal cost static routes destined to AWS networks in the global routing table. Both interfaces belong to the same security zone.

I would have thought that the traffic will be load balanced and we'd see similar level of utilisation, however, it would appear from the netflow stats that one interface is more heavily used that the other. Any ideas?

atsukane_0-1706527303065.png

 

Many thanks,

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎01-29-2024 07:17 AM

The difference is dramatic, but let me ask: is it a production with lots of random connections or you're testing the setup by generating some traffic? The thing is: the firewall distributes connections over ECMP links by 6-tuple hash (the hash takes ingress interface into consideration), and not packets, so utilization might be unequal because of this.

 

View solution in original post

Go to solution
atsukane
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 04:28 AM

Thanks.

I've checked and the AWS-1 always have the asterisk 

 

View solution in original post

7 Replies 7

Go to solution
tvotna
Spotlight
Spotlight

‎01-29-2024 07:17 AM

The difference is dramatic, but let me ask: is it a production with lots of random connections or you're testing the setup by generating some traffic? The thing is: the firewall distributes connections over ECMP links by 6-tuple hash (the hash takes ingress interface into consideration), and not packets, so utilization might be unequal because of this.

 

Go to solution
MHM Cisco World
VIP
VIP

‎01-29-2024 07:45 AM

the load balance not per-packet but per destination IP and L4 destination Port (if source IP and L4 port is same)
from cisco doc.

Screenshot (96).png

0 Helpful

Go to solution
atsukane
Level 1
Level 1

‎01-29-2024 09:38 AM

thank you both. oddly, as the day went by, it seems to be handling similar amount of traffic now.

We'll keep on monitoring and see how this goes. 

0 Helpful

Go to solution
atsukane
Level 1
Level 1

‎01-30-2024 02:21 AM - edited ‎01-30-2024 02:22 AM

we've monitored throughout yesterday and this morning and now the ECMP seems to be doing what it supposed to do.

 

atsukane_2-1706610041299.png

 

(@tvotna this is for a production with lots of random connections.)

Only thing is that we have an "*" asterisk on one of the routes, this is not just for this network in the screenshot but for all other routes, which make us think one is preferred over the other despite the equal metric.

atsukane_0-1706609744798.png

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to atsukane

‎01-30-2024 02:49 AM

no friend 
the "*" meaning that this route will use for next packet 
now use different destination and check * is it appear with same route or not
MHM

0 Helpful

Go to solution
atsukane
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 04:28 AM

Thanks.

I've checked and the AWS-1 always have the asterisk 

 

Go to solution
atsukane
Level 1
Level 1

‎02-02-2024 04:48 AM - edited ‎02-02-2024 04:49 AM

Just reporting back after monitoring the behaviour for a week and it would appear it sorted itself out.

atsukane_3-1706877991044.png

atsukane_1-1706877890218.png

atsukane_0-1706878145063.png

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card