Fortinet Document Library

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Release Notes

Download PDF
Copy Link

FortiGate-6000 IPsec VPN load balancing support

FortiGate-6000 for FortiOS 6.0.6 supports IPsec VPN load balancing for IPsec VPN sessions terminated by the FortiGate-6000 when static routes are used for communication over the VPN tunnel. If dynamic routing is required, then IPsec VPN load balancing must be disabled.

As well, because of static routing support, FortiGate-6000 for FortiOS 6.0.6 no longer requires you to add source and destination subnets to phase 2 configurations.

You can enable or disable IPsec VPN load balancing using the following command:

config load-balance settings

set ipsec-load-balance {enable | disable}

end

For the FortiGate-6000, IPsec load balancing is enabled by default. For the FortiGate-7000, IPsec load balancing is not supported and is disabled by default

If IPsec load balancing is enabled, the DP3 processor load balances IPsec VPN traffic to the FPCs according to the dp-load-distribution-method configuration. If you disable IPsec load balancing, all IPsec sessions are sent to the primary FPC.

Previous versions of FortiOS for FortiGate-6000 used load balancing flow rules. These rules are no longer required and Fortinet recommends that you manually remove them. See Manually deleting IPsec VPN load balancing flow rules.

FortiGate-6000 IPsec VPN load balancing support

FortiGate-6000 for FortiOS 6.0.6 supports IPsec VPN load balancing for IPsec VPN sessions terminated by the FortiGate-6000 when static routes are used for communication over the VPN tunnel. If dynamic routing is required, then IPsec VPN load balancing must be disabled.

As well, because of static routing support, FortiGate-6000 for FortiOS 6.0.6 no longer requires you to add source and destination subnets to phase 2 configurations.

You can enable or disable IPsec VPN load balancing using the following command:

config load-balance settings

set ipsec-load-balance {enable | disable}

end

For the FortiGate-6000, IPsec load balancing is enabled by default. For the FortiGate-7000, IPsec load balancing is not supported and is disabled by default

If IPsec load balancing is enabled, the DP3 processor load balances IPsec VPN traffic to the FPCs according to the dp-load-distribution-method configuration. If you disable IPsec load balancing, all IPsec sessions are sent to the primary FPC.

Previous versions of FortiOS for FortiGate-6000 used load balancing flow rules. These rules are no longer required and Fortinet recommends that you manually remove them. See Manually deleting IPsec VPN load balancing flow rules.