Flow rules for sessions that cannot be load balanced
Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.
Create flow rules using the config load-balance flow-rule
command. The default configuration uses this command to send IKE, GRE, session helper, Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 multicast and IPv6 multicast to the primary FPM. You can view the default configuration of the config loadbalance flow-rule
command to see how this is all configured or see Default configuration for traffic that cannot be load balanced.
For example, the following configuration sends all IKE sessions to the primary FPM:
config load-balance flow-rule
edit 1
set status enable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 500-500
set dst-l4port 500-500
set action forward
set forward-slot master
set priority 5
set comment "ike"
next
edit 2
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 4500-4500
set dst-l4port 0-0
set action forward
set forward-slot master
set priority 5
set comment "ike-natt src"
next
edit 3
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 0-0
set dst-l4port 4500-4500
set action forward
set forward-slot master
set priority 5
set comment "ike-natt dst"
next