FortiGate 6000F and 7000E IPsec load balancing EMAC VLAN interface limitation
On a FortiGate 6000F or 7000E, because of a DP processor limitation, IPsec VPN load balancing is not supported for sessions received by an EMAC VLAN interface that is not in the same VDOM as the interface that the EMAC VLAN interface has been added to.
The FortiGate-7000F platform uses NP7 processors for load balancing, so this limitation does not apply. |
On a FortiGate 6000F or 7000E, the following workarounds are available:
-
Change the FortiGate configuration so that the EMAC VLAN interface is in the same VDOM as the interface that the EMAC VLAN interface is added to (the EMAC VLAN interface is in the same VDOM as its parent interface).
-
Disable IPsec VPN load balancing and configure the IPsec phase 1 to send packets to the primary FPC or FPM or to a specific FPC or FPM. If you have multiple IPsec VPNs, you can achieve some load balancing by configuring different IPsec phase 1 configurations to send packets to different FPCs or FPMs.
In addition, for each IPsec phase 1, create a flow rule to forward clear-text traffic from the EMAC VLAN interface to the primary FPC or FPM or to a specific FPC or FPM. The FPC or FPM in the flow rule must match the FPC or FPM in the IPsec phase 1 configuration.
-
Do not use EMAC VLAN interfaces. For example, you could use standard VLAN interfaces. This may require using an external switch to handle VLAN tagging.