Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ECMP through Transparent Firewall

I have an interesting question.  We are going to try and run equal-cost multi-pathing through a transparent firewall.  There will be two routers on one side and two on the other running eigrp between them.  The question is, if a packet leaves one port but the response comes back on a different port, would this cause issues?


I can explain more if needed.


Hi, When you run Equal cost



When you run Equal cost multi path in ASA, you will not get a return packet on a different port. It will not do round robin fashion. Below mentioned excerpt from cisco document will clarify your doubt.


This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.



Community Member

That is true with a firewall

That is true with a firewall in Routed mode.  This firewall is in transparent mode therefore no routing is taking place on the firewall it self.  The SYN would come in and leave on one set of interfaces (bridge group) but the SYN-ACK would return on another set of interfaces (different bridge group).

I have built this in the lab and confirmed the ASA will drop the packet breaking the connection.

I would like to know if there is any way around this?

I wonder how do you do ECMP

I wonder how do you do ECMP in a FW transparent?




Community Member

I have found the answer.  You

I have found the answer.  You must enable tcp state bypass.  This just doesn't work for transparent only but also routed.  (documentation here)

I will post my scenario with Visio once completed.

CreatePlease to create content