https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591114#M117731 <P>iperf dose uses different source port and destination port is same.&nbsp; we uses the 5-tuple hashing as the rule set to none.&nbsp;&nbsp;</P> <P>I will test to use 2 tuple or 3 tuple session persistence.&nbsp; but why the default 5-tuple hashing will cause the firewall drop packets?</P> <P>&nbsp;</P> <P>Thank you!</P> Wed, 03 Jul 2024 20:36:13 GMT Vanessaxu 2024-07-03T20:36:13Z https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591066#M117721 <P>&nbsp;</P> <P>The topoplogy is</P> <P>spoke subnet ---&gt; Aure LB ---&gt; 2x Palo VM firewalls -&gt; express route --&gt; on-prem Palo firewall --&gt; on-prem server</P> <P>user at spok subnet send files to onprem is very slow. we did iperf test from a subnet in the spoke vnet to an onprem test server. There are drops on both of the firewalls that behind the LB. The dropped packets are normal tcp ack, fin-ack, rst ack cwr, and tcp retrsnmission.</P> <P>we did another iperf test from a different subnet in the same spoke vnet and skip the Azure LB , just go through one of the Palo vm firewall. Then there is no drops on this Palo firewall.</P> <P>also, there is no drop on the on-prem palo firewall.</P> <P>what could cause the drop on the palo vm firewalls when behind the Azure LB? could anyone help? Thank you!</P> <P><LI-PRODUCT title="Cloud NGFW for Azure" id="Cloud_NGFW_for_Azure"></LI-PRODUCT>&nbsp;</P> Wed, 03 Jul 2024 15:40:30 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591066#M117721 Vanessaxu 2024-07-03T15:40:30Z https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591103#M117725 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/195603">@Vanessaxu</a>,</P> <P>How did you have iperf setup when you were doing your testing? If you didn't maintain the same source port and destination port in your testing then you'd expect it to split the traffic across both PA-VMs due to the Azure LB utilizing 5-tuple hashing by default. Generally speaking 5-tuple works perfectly fine for most operations and helps split the load as much as possible.</P> <P>It's possible in your scenario that you would want to utilize 2-tuple or 3-tuple session persistence depending on how you're transferring the file.</P> Wed, 03 Jul 2024 19:33:22 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591103#M117725 BPry 2024-07-03T19:33:22Z https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591114#M117731 <P>iperf dose uses different source port and destination port is same.&nbsp; we uses the 5-tuple hashing as the rule set to none.&nbsp;&nbsp;</P> <P>I will test to use 2 tuple or 3 tuple session persistence.&nbsp; but why the default 5-tuple hashing will cause the firewall drop packets?</P> <P>&nbsp;</P> <P>Thank you!</P> Wed, 03 Jul 2024 20:36:13 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/591114#M117731 Vanessaxu 2024-07-03T20:36:13Z https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/593638#M118155 <P>we changed to 3-tuple session persistence and no more packet drop.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Thank you for your suggestion!</P> Wed, 31 Jul 2024 13:19:19 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-vm-firewall-drop-packets-behind-azure-load-balancer/m-p/593638#M118155 Vanessaxu 2024-07-31T13:19:19Z