Azure Load Balancer causing uneven distribution of traffic between two active firewalls

Azure Load Balancer causing uneven distribution of traffic between two active firewalls

3465
Created On 12/27/22 00:57 AM - Last Modified 09/03/25 01:20 AM


Symptom


When 2 active firewalls are on Azure, one active firewall may receive more traffic than other.

Environment


  • Palo Alto VM firewalls on Azure Platform
  • Supported PAN-OS

Cause


  • Azure Load Balancer uses a five-tuple hash based distribution mode by default
    • Source IP
    • Source port
    • Destination IP
    • Destination port
    • Protocol type
  • The hash is used to route traffic to healthy backend instances within the backend pool
  • When the client starts a new session from the same source IP, the source port changes and causes the traffic to go to a different backend instance
  • When session persistence is set to "None" in the Azure portal, the successive requests from the same client may be handled by any virtual machine

Resolution


Use Session persistence to resolve the problem.
  • Session persistence mode uses a two-tuple (source IP and destination IP) or three-tuple (source IP, destination IP, and protocol type) hash to route to backend instances
  • When using session persistence, connections from the same client will go to the same backend instance within the backend pool
  • Session persistence mode has two configuration types:
  1. Client IP (2-tuple) - Specifies that successive requests from the same client IP address will be handled by the same backend instance
  2. Client IP and protocol (3-tuple) - Specifies that successive requests from the same client IP address and protocol combination will be handled by the same backend instance
Distribution Mode configuration can be changed by modifying the load-balancing rule in the portal.
  • Sign in to the Azure portal and locate the resource group containing the load balancer you wish to change by clicking on Resource Groups
  • In the load balancer overview screen, select Load-balancing rules under Settings
  • In the load-balancing rules screen, select the load-balancing rule that you wish to change the distribution mode
  • Under the rule, the distribution mode is changed by changing the Session persistence drop-down box
The following options are available:
  1. None (hash-based) - Specifies that successive requests from the same client may be handled by any virtual machine
  2. Client IP (source IP affinity two-tuple) - Specifies that successive requests from the same client IP address will be handled by the same virtual machine
  3. Client IP and protocol (source IP affinity three-tuple) - Specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine
Choose the distribution mode and then select Save
session persistance.JPG

Additional Information


Please refer Jira for more information FWAAS-4519
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFrmCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language