FortiGate 7000E IPsec load balancing EMAC VLAN interface limitation
On a FortiGate 7000E, because of a DP processor limitation, IPsec VPN load balancing is not supported for sessions received by an EMAC VLAN interface that is not in the same VDOM as the interface that the EMAC VLAN interface has been added to.
The following workarounds are available:
-
Change the FortiGate 7000E configuration so that the EMAC VLAN interface is in the same VDOM as the interface that the EMAC VLAN interface is added to (the EMAC VLAN interface is in the same VDOM as its parent interface).
-
Disable IPsec VPN load balancing and configure the IPsec phase 1 to send packets to the primary FPM or to a specific FPM. If you have multiple IPsec VPNs, you can achieve some load balancing by configuring different IPsec phase 1 configurations to send packets to different FPMs.
In addition, for each IPsec phase 1, create a flow rule to forward clear-text traffic from the EMAC VLAN interface to the primary FPM or to a specific FPM. The FPM in the flow rule must match the FPM in the IPsec phase 1 configuration.
-
Do not use EMAC VLAN interfaces. For example, you could use standard VLAN interfaces. This may require using an external switch to handle VLAN tagging.