We are running Netscaler ADC(for load balancing only) behind Cloudflare WAF and am looking to address some problems we’ve had recently with a large web application(.net and IIS) we pointed to Cloudflare.
The issues indicated that some users were kicked out from their sessions after logging. Since these are customers and due to sensitivity of the application, we had to rollback from proxied to dns-only mode. Despite doing some research and investigating with various teams in the network we have not found the issues where I am able to see some 499s/500s.
Though while troubleshooting, we came across something that maybe a clue. When in proxied mode, we noticed that 2 of the servers were getting less traffic then others despite there were no server errors or LB issues observer. We also tried disabling the servers to see if these were server issues but was not good. However, after rolling back to Dns-only, we have seen improvement in the traffic distribution across the servers and not receiving any calls from users. We have no evidence that this is the root cause but just wanted to see if there is anything related to this.
In NetScaler we use a method called SOURCEIPHASH and since Cloudflare is any cast, I wonder if this creates problems when your session may change source IP for incoming traffic. We are looking to test this however I was wondering if anyone does anyone have any experience with better and more compatible LB methods for Cloudflare?