SSL VPN tunnel mode load balancing
FortiGate-6000 and 7000 for FortiOS 6.4.8 supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-6000 or 7000.
By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPC or FPM. For example, the following flow rule sends all SSL VPN sessions to the primary FPC or FPM:
config load-balance flow-rule
edit 0
set status enable
set ether-type ipv4
set protocol tcp
set dst-l4port 443-443
set forward-slot master
set comment "ssl vpn server to primary worker"
end
To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.
Then you can use the following new command to enable SSL VPN load balancing:
config load-balance setting
set sslvpn-load-balance enable
end
When you enable SSL VPN load balancing, the FortiGate-6000 or 7000 restarts SSL VPN processes on the management board and the FPCs and on all FIMs and FPMs, resetting all current SSL VPN sessions.
SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools to the FPCs or FPMs. Each FPC or FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPC or FPM.
SSL VPN IP pool IP addresses are not re-allocated if an FPC or FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPC or FPM are not available.
For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include config load balance setting set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport} end |