Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
5
Replies

FTD HA setup using multi-wan ECMP load balancing

paul-d
Level 1
Level 1

‎06-19-2024 02:00 PM

Hi I have a concern with using Equal Cost Multi-Path for dual WAN to be able to use both WAN connections concurrently, however my concern is how a public website will respond if it sees connections coming from different public IP addresses.

If each WAN interface is using a different public IP for Network Address Translation (NAT), the source IP address seen by the destination website could vary, leading to potential issues such as session instability or rejection potentially.

Is my concern valid? and does the FTD have any kind of "sticky" function to ensure all connections to a single website use the same egress interface?

Labels:
0 Helpful
5 Replies 5

paul-d
Level 1
Level 1

‎06-19-2024 02:17 PM

after i RTFM

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221692-configure-ecmp-with-ip-sla-on-ftd-manage.html

 

Traffic is load balanced among the specified gateways based on an algorithm that hashes the source and destination IP addresses, incoming interface, protocol, source and destination ports. when you run the test, the traffic you simulate can be routed to the same gateway due to the hash algorithm, this is expected, change any value among the 6 tuples (source IP, Destination IP, incoming interface, protocol, source port, destination port) to make change on the hash result.

0 Helpful

MHM Cisco World
VIP
VIP
In response to paul-d

‎06-19-2024 02:46 PM

The ftd to forward  traffic check below in order 

1- conn

2- nat

3- rib 

So if Outside clinet access via Out1 of FTD and FTD have defualt route via Out2 the ftd will use Out1 not Out2 for retrun traffic' since conn come before rib.

So dont worry about that point 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-20-2024 09:29 AM

and more 
if the Inside client access internet using OUT2 the traffic will NAT and web server will reply to public IP of OUT2 and not return traffic to OUT1 
and again there is no asym traffic 
so both case client out or in the traffic return from same point 

MHM

0 Helpful

Rob Ingram
VIP
VIP

‎06-19-2024 02:18 PM

@paul-d the FTD will load balance the traffic over the different interfaces and unless the route is lost the connection will stay routed via the same interface. Therefore the destination website will see that connection coming from the same NAT IP.

It won't matter if another connection (from a different (user/device) is made to the same destination website from another FTD interface, that connection will be routed via the same interface until the connection ends.

0 Helpful

tvotna
Spotlight
Spotlight
In response to Rob Ingram

‎06-20-2024 09:23 AM

@paul-d, your concern is partially valid in a sense that destination host will see connections coming from different source IP addresses, although this typically shouldn't break things. Unlike other load-distribution methods, e.g. L2 port-channels, the ASA/FTD ECMP hashing algorithm is unconfigurable and always uses 6-tuple to distribute connections:

CSCuq99153 ENH: ASA should have a configurable load-balance algorithm for ECMP

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card