SSL VPN load balancing
FortiGate-6000 supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-6000. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPC (usually the primary FPC).
To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.
For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port
. The following DP load distribution methods are supported for SSL VPN load balancing:
config load balance setting
set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}
end
Then you can use the following command to enable SSL VPN load balancing:
config load-balance setting
set sslvpn-load-balance enable
end
When you enable SSL VPN load balancing, the FortiGate-6000 restarts SSL VPN processes running on the management board and the FPCs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.
Once the SSL VPN processes restart, the FortiGate-6000 DP3 processor distributes SSL VPN tunnel mode sessions to all of the FPCs.
To be able to distribute SSL VPN sessions to all FPCs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPCs. Each FPC acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPC.
SSL VPN IP pool IP addresses are not re-allocated if an FPC goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPC are not available until the FPC returns to normal operation. |
No other special configuration is required to support SSL VPN tunnel mode load balancing.
For more information on FortiGate 6000F SSL VPN load balancing, see this Fortinet Community article:Technical Tip : How to load balance SSL VPN web-mode traffic on FortiGate-6000 series.