Experiences with ECMP - What is the best balancing option to correctly maintain sessions.
Hello, how are you doing? I hope everyone is well. Thanks for the collaboration and good vibes.
Based on your experience, what is the best balancing method that PA offers?
Based on what I have had to configure and thinking about the fidelity of the sessions, the best option has been "IP-HASH". Here I understand that by default it is based on source and destination address unless you check "source address only". Also the "Use Source/Destination Ports" check box appears.
Environment with main links between 150 to 300 Mbps and secondary links between 100 to 250 Mbps.
In other cases I applied the classic roung robin method and with weight, but in certain cases users reported problems with access to banks, office 365, the banks if it can be, because the change of IP to another, then there are systems that reflect and alert, therefore then it was forced with a PBF to banks, But what I found strange was towards Office 365 ( sharepoint and onedrive in particular ) searching and adjusting different methods until with IP Hash and WITHOUT the check of Address Only and with the check of "Use Source/Destination Ports" everything began to operate in an excellent way. I was surprised by the Office 365 issues since the SaaS reality of their services and the SD-WAN and optimization issues make me think that those office 365 apps are already more than prepared for those eventual changes from one link to others.
-Well, what have been your experiences with ECMP ? have you had to force some traffic as well ? What was the best configuration for your environment and specifications ?
Cheers
I've only been able to deploy ECMP in a few of my customer's environments so findings are limited.
One of my large customers has multiple tunnels connecting their onprem datacenter to their cloud environment. Because the cloud environment fully supports asymmetric routing and all uplinks have the same bandwidth, we have basic balanced round robin set up and that's working wonderfully so far.
for other customers I usually rely on IP Hash set to Use source address only, so a specific client will always take the same path out to retain routing and NAT addresses since that's proven to be the most reliable (as you mentioned, some sites may start to act funny if resources are accessed from different IP addresses), especially anything that relies on authentication as we noticed a user sometimes needed to log in multiple times to the same site