↔️How Session Load Balancing Breaks Applications | A Flawed Strategy in Network Deployment🔄

Ronald BartelsRonald Bartels
7 min read

Many firewall vendors implement a feature called session load balancing to attempt to utilize multiple links simultaneously for higher throughput. While this may sound like an effective strategy, it introduces several problems that can break applications and services, especially in industries like banking that require secure and stable connections. Fusion’s SD-WAN, on the other hand, solves these issues by utilizing per-packet load balancing in a hub-and-spoke architecture, enabling higher throughput without breaking critical applications.

How Session Load Balancing Works

Session load balancing is a technique where a firewall distributes network sessions across multiple links to optimize traffic and avoid congestion. The idea is to route different sessions—such as web browsing, email, or file transfers—across separate WAN links, theoretically utilizing all available bandwidth across multiple connections.

Here's how it works:

  • A session, which is essentially a series of packets exchanged between a source and destination, is routed through one link.

  • The firewall directs subsequent sessions to other links, attempting to balance the load across multiple WAN connections.

The key problem with session load balancing is that it only works at the session level, meaning each session is tied to a single connection. It cannot distribute the packets within a single session across multiple links, which has significant performance and reliability drawbacks.

Why Session Load Balancing is Flawed

While session load balancing appears to make efficient use of multiple connections, it has several fundamental flaws that make it unsuitable for many applications:

  1. Lack of Aggregation and Bonding

    • In session load balancing, a single session (like a large file transfer or a video call) can only utilize the bandwidth of one link. This means that while different sessions can be routed through different links, a single session can never aggregate the bandwidth of multiple links for higher throughput.

    • This limitation prevents true bonding or aggregation, where multiple connections are combined to increase the overall bandwidth available to any one application or session. As a result, users experience limited performance gains, particularly for bandwidth-heavy applications.

  2. Breaking Applications with Multiple IPs

    • Many applications, especially those related to security-sensitive services such as banking apps, require stable and consistent IP addresses for communication. When session load balancing is in use, different sessions may be routed through different links, each with its own IP address.

    • This causes a major issue: applications see two or more different IP addresses for the same session or user. Security mechanisms within these applications detect this as a potential security risk, interpreting the different IP addresses as multiple, potentially malicious, connections from different sources.

    • Banking apps are a prime example of how this flaw manifests. When they see two originating IP addresses for what should be a single session, they often terminate the connection or deny access altogether, considering it an attempt to breach security. This leaves users frustrated and unable to complete essential transactions.

  3. Session Consistency Issues

    • Certain applications, such as real-time voice or video communications, rely on session consistency. If session load balancing splits traffic between multiple links, it can introduce latency and packet reordering, which can degrade the quality of the service.

    • This is particularly problematic for time-sensitive applications like VoIP (Voice over IP) or online gaming, where even minor disruptions can lead to noticeable performance degradation.

Fusion's SD-WAN | Per-Packet Load Balancing for Seamless Performance

Unlike session load balancing, Fusion’s SD-WAN utilizes per-packet load balancing in a hub-and-spoke architecture, a far superior solution for effectively managing multiple connections without breaking applications. Here’s how it works and why it’s better:

  1. Per-Packet Load Balancing

    • Fusion’s SD-WAN sends individual packets across multiple WAN links, rather than entire sessions. This means that each link is utilized for every packet, allowing for true bonding and aggregation of bandwidth.

    • By spreading traffic on a per-packet basis, Fusion’s SD-WAN can fully utilize the available bandwidth of all connections simultaneously, providing higher throughput and better performance for individual sessions.

  2. Consistent IP Addresses

    • With per-packet load balancing, the system maintains a consistent IP address for the session across all packets. This solves the problem of banking apps and other security-sensitive services that break when they see multiple IPs.

    • Applications see the traffic as coming from a single, stable IP address, ensuring seamless connectivity and avoiding the security checks that cause session terminations in session load balancing.

  3. Hub-and-Spoke Architecture

    • Fusion’s SD-WAN uses a hub-and-spoke architecture, which allows for efficient routing of traffic through a central hub. This setup ensures that traffic is always routed through the most optimal path, reducing latency and improving performance.

    • The architecture is also well-suited to redundancy. In the event of a failure on one link, the system can seamlessly reroute traffic to other available links without disrupting the session, further enhancing reliability.

  4. Superior Application Performance

    • Since per-packet load balancing evenly distributes traffic across all available links, real-time applications such as VoIP, video conferencing, and online services experience consistent performance, even when the network is congested.

    • Fusion’s SD-WAN also applies QoS (Quality of Service) settings to ensure that critical applications always have the bandwidth they need, even when the network is under heavy load.

The Failover Approach | A Common, But Suboptimal Solution to Session Breaking

Many network administrators, recognizing the issues caused by session load balancing, have resorted to a different strategy to avoid breaking applications: disabling load balancing altogether and configuring links in a primary/secondary failover setup. While this method prevents the session-breaking problems that arise from session load balancing, it introduces its own limitations that undermine the full potential of multi-link environments.

How the Failover Approach Works

In a primary/secondary failover configuration, network traffic is directed exclusively through a single (primary) WAN link. The secondary link remains idle, only being activated if the primary link fails. Essentially, the secondary link serves as a backup, ready to take over the entire traffic load if the primary connection experiences an outage.

Benefits of Failover

The main advantage of this approach is that it eliminates session-breaking problems. Since all traffic is routed through one link at a time, applications like banking apps, which require a consistent IP address, will not experience issues caused by seeing multiple IPs. This method ensures that sessions remain stable and uninterrupted as long as the primary connection remains operational.

However, this solution sacrifices several benefits of having multiple links available.

The Limitations of Primary/Secondary Failover

  1. Underutilization of Available Bandwidth

    • By configuring links in a failover scenario, businesses are essentially wasting the capacity of the secondary link. The secondary connection sits idle, waiting for the primary link to fail, which means that businesses are paying for bandwidth they aren't using. This defeats the purpose of investing in multiple links, especially in environments where bandwidth is a critical resource.

    • In contrast, load balancing across multiple links (if done properly) can ensure that both links are actively contributing to the overall network capacity, providing increased throughput and better performance for users.

  2. Delayed Recovery

    • The failover process is not instantaneous. When the primary link fails, there is usually a brief downtime as the secondary link is activated. Although this downtime is often minimal, it can still lead to service interruptions—particularly problematic for real-time applications like VoIP, video conferencing, or online transactions that require constant connectivity.
  3. No Load Distribution

    • Without load balancing, there is no distribution of traffic across the links. All traffic, regardless of its nature or priority, is funneled through the same primary link, potentially leading to congestion during peak usage times. This can cause degraded performance for certain applications, especially if the primary link's capacity is exceeded.

    • In contrast, solutions like Fusion's SD-WAN with per-packet load balancing distribute traffic intelligently, ensuring that both links are actively used to handle different types of traffic efficiently.

Wrap | Per-Packet Load Balancing is the Future

Session load balancing may seem like an appealing solution for distributing traffic across multiple links, but its flaws are significant. From the inability to bond bandwidth across sessions to the security risks posed by inconsistent IP addresses, session load balancing often does more harm than good, particularly in industries where reliability is critical.

Fusion’s SD-WAN, with its per-packet load balancing and hub-and-spoke architecture, offers a far more effective solution for managing multiple WAN links. By ensuring consistent IP addresses, maximizing bandwidth utilization, and providing seamless application performance, Fusion’s SD-WAN avoids the pitfalls of session load balancing and ensures that businesses can maintain high-performance, reliable connectivity.


Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN Last Mile provider in South Africa. Learn more about the best SD-WAN in the world: 👉Contact Fusion✈️


0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa