Fortinet black logo

FortiGate-6000 Administration Guide

Home FortiGate / FortiOS 7.4.0 FortiGate-6000 Administration Guide
7.4.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5

FortiGate-6000 IPsec load balancing EMAC VLAN interface limitation

FortiGate-6000 IPsec load balancing EMAC VLAN interface limitation

On a FortiGate-6000, because of a DP processor limitation, IPsec VPN load balancing is not supported for sessions received by an EMAC VLAN interface that is not in the same VDOM as the interface that the EMAC VLAN interface has been added to.

The following workarounds are available:

  • Change the FortiGate-6000 configuration so that the EMAC VLAN interface is in the same VDOM as the interface that the EMAC VLAN interface is added to (the EMAC VLAN interface is in the same VDOM as its parent interface).

  • Disable IPsec VPN load balancing and configure the IPsec phase 1 to send packets to the primary FPC or to a specific FPC. If you have multiple IPsec VPNs, you can achieve some load balancing by configuring different IPsec phase 1 configurations to send packets to different FPCs.

    In addition, for each IPsec phase 1, create a flow rule to forward clear-text traffic from the EMAC VLAN interface to the primary FPC or to a specific FPC. The FPC in the flow rule must match the FPC in the IPsec phase 1 configuration.

  • Do not use EMAC VLAN interfaces. For example, you could use standard VLAN interfaces. This may require using an external switch to handle VLAN tagging.

Previous
Next

FortiGate-6000 IPsec load balancing EMAC VLAN interface limitation

On a FortiGate-6000, because of a DP processor limitation, IPsec VPN load balancing is not supported for sessions received by an EMAC VLAN interface that is not in the same VDOM as the interface that the EMAC VLAN interface has been added to.

The following workarounds are available:

  • Change the FortiGate-6000 configuration so that the EMAC VLAN interface is in the same VDOM as the interface that the EMAC VLAN interface is added to (the EMAC VLAN interface is in the same VDOM as its parent interface).

  • Disable IPsec VPN load balancing and configure the IPsec phase 1 to send packets to the primary FPC or to a specific FPC. If you have multiple IPsec VPNs, you can achieve some load balancing by configuring different IPsec phase 1 configurations to send packets to different FPCs.

    In addition, for each IPsec phase 1, create a flow rule to forward clear-text traffic from the EMAC VLAN interface to the primary FPC or to a specific FPC. The FPC in the flow rule must match the FPC in the IPsec phase 1 configuration.

  • Do not use EMAC VLAN interfaces. For example, you could use standard VLAN interfaces. This may require using an external switch to handle VLAN tagging.

Previous
Next