ConsistentHash persistence not working between east-west traffic between services in the cluster

Within the cluster I have two services, frontend and backend. Backend is a Socketio instance and has a virtualservice in the “mesh” gateway and a destination rule that looks like this:

---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: backend
  namespace: prod
spec:
  host: backend.prod.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      consistentHash:
        httpHeaderName: Sec-WebSocket-Version
  workloadSelector:
    matchLabels:
      app: backend

I have also used istioctl x describe pod "$(kubectl get pod -l app=backend -o jsonpath='{.items[0].metadata.name}')" to verify that the virtualservice and destinationrule are applying to the correct pods.

The frontend needs to make multiple http (instead of ws://) calls to the backend but needs to hit the same backend instance for each group of requests. Perhaps Sec-WebSocket-Version isn’t the best header to match on but I wanted to try the easiest one to get a proof of concept with. I have also tried useSourceIP, and the cookie strategy described in Istio setup for socket.io - #3 by skalinets.

I turned on Envoy logging to confirm %REQ(Sec-WebSocket-Version)% is set to the same value for all requests. Despite this, I often see the requests hitting multiple pods. How do I resolve this issue?

Thanks

I was able to resolve this by both removing my workloadSelector and fixing the global.proxy.includeIPRanges in my istio config.