https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227783#M124149 <P>Hi all,&nbsp;</P> <P>while using ECMP for the last 2 years without any issues using 3 ISP's with different weight and enabling Symmetric Return and Strict Source Path, I found that some sites with authentication access and Proofpoint secure emails access are being timed out</P> <P>because of their sensitivity of the source ISP change during the session.</P> <P>In most of the cases creating BPF rule using address group for all those site's FQDN resolve the issue, but I'm looking for a way to using BPF based on URL category like Banks\financial sites.</P> <P>&nbsp;</P> <P>Anyone face the same issue and solved it with a different approach?&nbsp;</P> <P>&nbsp;</P> <P>Thank you for the help.</P> Wed, 30 Apr 2025 16:57:00 GMT SShnap 2025-04-30T16:57:00Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227783#M124149 <P>Hi all,&nbsp;</P> <P>while using ECMP for the last 2 years without any issues using 3 ISP's with different weight and enabling Symmetric Return and Strict Source Path, I found that some sites with authentication access and Proofpoint secure emails access are being timed out</P> <P>because of their sensitivity of the source ISP change during the session.</P> <P>In most of the cases creating BPF rule using address group for all those site's FQDN resolve the issue, but I'm looking for a way to using BPF based on URL category like Banks\financial sites.</P> <P>&nbsp;</P> <P>Anyone face the same issue and solved it with a different approach?&nbsp;</P> <P>&nbsp;</P> <P>Thank you for the help.</P> Wed, 30 Apr 2025 16:57:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227783#M124149 SShnap 2025-04-30T16:57:00Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227788#M124151 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a> ,</P> <P>&nbsp;</P> <P>I had similar issues with 1 customer.&nbsp; Changing the ECMP Load Balance Method from IP Modulo (default) to IP Hash caused all sessions with the same source/destination to always go out the same interface.&nbsp; This eliminated the need for PBF, and the applications worked properly.&nbsp; You could also check the box so that all traffic from a source IP address always goes out the same interface.</P> <P>&nbsp;</P> <P>It <EM>appeared</EM> that the problem was that the web application wanted all traffic from the same source to have the same IP.&nbsp; This change fixed the issue.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 30 Apr 2025 17:51:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227788#M124151 TomYoung 2025-04-30T17:51:30Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227789#M124152 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;Thank you for the comment, so if I'm going to IP Hash route, I need to remove the PBF and there is no weight consideration?</P> <P>Currently I'm using 2 ISP with same weight and 3rd ISP for backup with lower weight.</P> <P>I will check this option later and see the results.</P> <P>Thank you&nbsp;</P> Wed, 30 Apr 2025 19:00:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227789#M124152 SShnap 2025-04-30T19:00:11Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227790#M124153 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a> ,</P> <P>&nbsp;</P> <P>No, there is no weight consideration with IP Hash.&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ecmp/ecmp-load-balancing-algorithms" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ecmp/ecmp-load-balancing-algorithms</A></P> <P>&nbsp;</P> <P>IP Hash balances over all links the same.&nbsp; If you want the 3rd ISP for backup, you can give it a higher metric.</P> <P>&nbsp;</P> <P>I'm sure you already know this, but it is safer to disable PBF for now rather than remove.&nbsp; Rollback becomes much faster.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 30 Apr 2025 19:07:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1227790#M124153 TomYoung 2025-04-30T19:07:12Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1228262#M124201 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;Thank you for the response, I still want to use the PBF because some of the services are being allowed based on the ISP interface outbound.</P> <P>Do you know what is prioritize first if we are using IP Hash and PBF?&nbsp;</P> <P>I meant disable before removing them completely, thank you for the clarification.&nbsp;</P> Tue, 06 May 2025 15:59:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1228262#M124201 SShnap 2025-05-06T15:59:37Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1228268#M124202 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/40971">@SShnap</a> ,</P> <P>&nbsp;</P> <P>PBF takes priority over routing.&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/policy-based-forwarding" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/policy-based-forwarding</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 06 May 2025 16:22:59 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-breaks-secure-email-access/m-p/1228268#M124202 TomYoung 2025-05-06T16:22:59Z