In the load sharing scenario of multiple dial-out interfaces, service fails after switchover of the dial-out interface

There are three dial-out interfaces on site, and the plan is to perform load sharing for the traffic from the internal network to the public network across these three dial-out interfaces.

The current on-site configuration sets the default equal cost route egress interfaces as dia 1 and dia 3, with normal service operation. After redirecting some services to dia 2 via policy-based routing (PBR), these services experienced anomalies.

Found a test traffic, analyzed via debug

It can be seen that the forward message of the test traffic passes through the firewall twice. In this scenario, when redirecting the traffic to dia2 via policy, since a session already exists, the traffic directly matches the session and is sent out through dia2 without matching the easy-ip configured under the dia2 interface for SNAT conversion, resulting in no return packets from the peer end. As for why NAT was not performed on the traffic, this is because when the traffic was first sent out from G1/0/7, the G1/0/7 interface had no NAT, so the session table did not record any NAT conversion. When the traffic re-enters the device through G1/0/8, it directly matches the session and is routed out through the dia interface without undergoing NAT conversion.

The issue was resolved by adjusting the network setup to prevent traffic from going through the wall twice.