When a user disconnects from a VPN tunnel, it is not always desirable for the released IP address to be used immediately. In SSL VPN, IP addresses can be assigned from the pool in a round robin fashion, instead of the default first-available address method.
In this example, two PCs connect to the VPN. SSL VPN is configured to use round robin IP address assignment. Dual stack address assignment (both IPv4 and IPv6) is used.
After a tunnel is disconnected, freeing a low IP address, the next client that connects gets the next address in the round robin instead of the lowest address.
Create IPv4 and IPv6 address ranges:
config firewall address edit "sslvpn_ipv4_pool" set type iprange set start-ip 22.214.171.124 set end-ip 126.96.36.199 next end
config firewall address6 edit "sslvpn_ipv6_pool" set type iprange set start-ip 2000::ad0a:101 set end-ip 2000::ad0a:103 next end
Set the address ranges as IP pools in the SSL VPN settings:
config vpn ssl settings set tunnel-ip-pools "sslvpn_ipv4_pool" set tunnel-ipv6-pools "sslvpn_ipv6_pool" end
When round-robin is used, any address pools defined in the web portal are ignored and the tunnel IPv4 and IPv6 pool addresses in the SSL VPN settings are used. Only one set of IP pool addresses can be applied.
Enable round-robin and dual stack in the SSL VPN settings:
config vpn ssl settings set dual-stack-mode enable set tunnel-addr-assigned-method round-robin end
By default, the IP pool assignment follows the first available rule.
Create two users and assign them to an SSL VPN policy:
config user local edit "u1" set type password set passwd ********** next edit "u2" set type password set passwd ********** next end
config firewall policy edit 1 set name "sslvpnd" set srcintf "ssl.vdom1" set dstintf "link_11" "port1" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set nat enable set users "u1" "u2" next end
Log in to the SSL VPN on PC1 using user u1 and then check its assigned IP address:
# get vpn ssl monitor SSL-VPN Login Users: Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth 0 u1 1(1) N/A 10.1.100.145 0/0 0/0 0 SSL-VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 u1 10.1.100.145 13 49935/35251 188.8.131.52,2000::ad0a:101
Log in to the SSL VPN on PC1 using user u2 and then check its assigned IP address:
# get vpn ssl monitor SSL-VPN Login Users: Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-fa