VM-Series firewalls in Azure with multiple private zone NICs behind Internal LB not maintaining session

cancel
Showing results for 
Search instead for 
Did you mean: 

VM-Series firewalls in Azure with multiple private zone NICs behind Internal LB not maintaining session

L1 Bithead

I have a use-case: There are 2 VM-Series Palo-alto firewalls deployed in Azure behind Internal Load Balancer. Each firewall has 3 private zone interfaces and Internal LB has 3 Frontend-IPs, one for each firewall interface subnet, the request traffic from one private azure subnet lands on Internal LB Frontend-IP1 and distributed to firewall1 interface1 for processing, the response traffic as part of a same session lands on same Internal LB Frontend-IP2 and getting distributed to firewall2 on interface2, this is causing asymmetry and hence the communication is getting dropped on firewall2. This is happening in Azure internal communication as well as Azure to on-premise communication. I was expecting Internal LB to distribute the same session traffic to just firewall1 and not to firewall2 as I have read in Azure docs that Internal Load Balancer always maintains 5 tuple hash to maintain session. Does Internal LB maintains session hash if the communication is between different Frontend IPs ? I'm using original IPs (without Source NAT) to communicate between private zones. I have attached an architecture diagram for reference. Please advise.

 

4 REPLIES 4

L1 Bithead

Just to add, there is no Panorama and no HA sync between Palos and they are operating independently as active/active.

As long as traffic enters and leaves the same load balancer and firewall interface, Source NAT is not required.  As soon as you cross a zone or use a different load balancer front end IP, SNAT will be required to maintain symmetry.  It has to do with the way the load balancer algorithm is calculated when the firewalls are added to the backend pool.

 

Hope that helps.

 

Scott

Scott Thornton

L1 Bithead

Thanks for the guidance Scott, I was chasing Microsoft for this since many days but didn't get any concrete reply so far regarding the Internal LB working. Appreciate your big help. I understand it as - Because I have multiple front-end IPs on Internal LB with traffic crossing the zones on firewall, I have to source NAT the traffic as Internal LB cannot maintain symmetry in this case. If in another case where the traffic communication would have been on same front-end IP in same zone on firewall then source NAT wouldn't be required as the symmetry will be maintained by the Internal LB.

That is correct.  Have a good one and let us know if you have any additional questions.

Scott Thornton
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!