* Saku Ytti
Not true. Hash result should indicate discreet flow, more importantly discreet flow should not result into two unique hash numbers. Using whole TOS byte breaks this promise and thus breaks ECMP.
Platforms allow you to configure which bytes are part of hash calculation, whole TOS byte should not be used as discreet flow SHOULD have unique ECN bits during congestion. Toke has diagnosed the problem correctly, solution is to remove TOS from ECMP hash calculation.
Agreed. This also goes for the other bits, so whole byte must be excluded. For example, the OpenSSH client will by default change the code point from zero (during authentication) to af21/cs1 (when it enters a interactive/non-interactive session). I have experienced this break IPv6 SSH sessions to an anycasted SSH server instance that was reached through old Juniper DPC cards with ECMP enabled. Symptom was that authentication went fine, only for the connection to be reset immediately after (unless default IPQoS config was changed). The «solution» was to simply disable ECMP for all IPv6 traffic, since I could not figure out how to make the Juniper exclude the DiffServ byte from the ECMP hash calculation. Tore