Palo VM firewall drop packets behind Azure load balancer
The topoplogy is
spoke subnet ---> Aure LB ---> 2x Palo VM firewalls -> express route --> on-prem Palo firewall --> on-prem server
user at spok subnet send files to onprem is very slow. we did iperf test from a subnet in the spoke vnet to an onprem test server. There are drops on both of the firewalls that behind the LB. The dropped packets are normal tcp ack, fin-ack, rst ack cwr, and tcp retrsnmission.
we did another iperf test from a different subnet in the same spoke vnet and skip the Azure LB , just go through one of the Palo vm firewall. Then there is no drops on this Palo firewall.
also, there is no drop on the on-prem palo firewall.
what could cause the drop on the palo vm firewalls when behind the Azure LB? could anyone help? Thank you!