07-03-2024 08:40 AM
The topoplogy is
spoke subnet ---> Aure LB ---> 2x Palo VM firewalls -> express route --> on-prem Palo firewall --> on-prem server
user at spok subnet send files to onprem is very slow. we did iperf test from a subnet in the spoke vnet to an onprem test server. There are drops on both of the firewalls that behind the LB. The dropped packets are normal tcp ack, fin-ack, rst ack cwr, and tcp retrsnmission.
we did another iperf test from a different subnet in the same spoke vnet and skip the Azure LB , just go through one of the Palo vm firewall. Then there is no drops on this Palo firewall.
also, there is no drop on the on-prem palo firewall.
what could cause the drop on the palo vm firewalls when behind the Azure LB? could anyone help? Thank you!
07-03-2024 12:33 PM
How did you have iperf setup when you were doing your testing? If you didn't maintain the same source port and destination port in your testing then you'd expect it to split the traffic across both PA-VMs due to the Azure LB utilizing 5-tuple hashing by default. Generally speaking 5-tuple works perfectly fine for most operations and helps split the load as much as possible.
It's possible in your scenario that you would want to utilize 2-tuple or 3-tuple session persistence depending on how you're transferring the file.
07-03-2024 12:33 PM
How did you have iperf setup when you were doing your testing? If you didn't maintain the same source port and destination port in your testing then you'd expect it to split the traffic across both PA-VMs due to the Azure LB utilizing 5-tuple hashing by default. Generally speaking 5-tuple works perfectly fine for most operations and helps split the load as much as possible.
It's possible in your scenario that you would want to utilize 2-tuple or 3-tuple session persistence depending on how you're transferring the file.
07-03-2024 01:36 PM
iperf dose uses different source port and destination port is same. we uses the 5-tuple hashing as the rule set to none.
I will test to use 2 tuple or 3 tuple session persistence. but why the default 5-tuple hashing will cause the firewall drop packets?
Thank you!
07-31-2024 06:19 AM
we changed to 3-tuple session persistence and no more packet drop.
Thank you for your suggestion!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
