we've been using mangle and nth (connection marks+routing marks) with great success over the years. This makes perfect use of our two ISP lines (cable+DSL) and assymetrically distributes the traffic (3 to 1) as they're of different bandwidth.
Now TLS 1.3 comes along and many TLS hosts check the src-address and drop the session when they detect that connections come from two different IP addresses. In other words, upon first access to a particular website, like a bank, the site loads fine but when clicking a hyperlink to load a different part of said website, nth cycles, some part of the website is requested over a "new" connection, it goes out the other ISP line and the user gets kicked out to the login page.
This has been a problem for some time now but steadily growing worse. So far we've been manually wiresharking connections to said websites to identify their addresses and add them to a list that excludes them from nth processing.
However this now needs to be automated. The number of sites presenting the problem has increased to the point where the above action is no longer practical. The easy solution would be to fire off all https connections from a single WAN with failover but almost every site including google drive, youtube, etc now use https so this isn't a practical solution either (we'd saturate that WAN).
I'm thinking of adding individual user addresses (internal DHCP assigned) to lists and have each user use that particular ISP line for all https traffic the duration of the timeout (thinking 2 hours, plenty for normal secure online work).
It's not perfect but it's the simplest solution I came up with that doesn't involve heavy scripting that could interfere with all out other scripting for failover and general admin tasks.
Has anyone else faced this problem? What was your solution? I'm open to suggestions.