SSL VPN load balancing
FortiGate-7000E supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-7000E. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPM (usually the primary FPM).
To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.
For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port
. The following DP load distribution methods are supported for SSL VPN load balancing:
config load balance setting
set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}
end
Then you can use the following command to enable SSL VPN load balancing:
config load-balance setting
set sslvpn-load-balance enable
end
When you enable SSL VPN load balancing, the FortiGate-7000E restarts SSL VPN processes running on the management board and the FPMs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.
Once the SSL VPN processes restart, the FortiGate-7000E DP2 processor distributes SSL VPN tunnel mode sessions to all of the FPMs.
To be able to distribute SSL VPN sessions to all FPMs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPMs. Each FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPM.
SSL VPN IP pool IP addresses are not re-allocated if an FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPM are not available until the FPM returns to normal operation. |
No other special configuration is required to support SSL VPN tunnel mode load balancing.