FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wling_FTNT
Staff
Staff

Description
This article describes the work around for SSLVPN load balancing limitation.

Scope
FortiGate-6000 series.

Solution
The FortiGate-6000 does not support load balancing SSL VPN sessions.
The recommended configuration is to direct SSL VPN sessions terminated by the FortiGate-6000 to the primary FPC. 
This requires a flow rule to be manually added on Fortigate-6000. 
See below for example, it matches all sessions sent to port 8443 (SSLVPN listening port) and forward to Master FPC.
It applies to both web mode traffic and tunnel mode traffic. In the example, web mode SSL VPN traffic is sent to IP address 10.0.11.64 port 8443 and tunnel mode SSL VPN is sent to IP address 10.0.11.65 port 8443.

It degrades the performance of Mater FPC when RDP over SSLVPN web mode traffic increases.

# config load-balance flow-rule
    edit 0
        set status enable
        set ether-type ipv4
        set protocol tcp
        set dst-l4port 8443-8443
        set forward-slot master
        set comment "ssl vpn server to primary FPC"
    next
end

To work around this limitation:

- Web mode traffic can be load balanced to all FPCs.
- Tunnel mode traffic can be offloaded to Master or any single FPC since it cannot be offloaded/load-balanced to multiple slots at a time due to VPN IP pool conflict
   
It can be achieved by configuring the secondary IP address for the existing interface that receives the SSLVPN traffic and a flow rule to forward all the tunnel traffic to it as a destination address with destination port.
Change the 'dp-load-distribution 'method' is set to 'src-dst-ip method. 


Note: 
By default, load balancing method is set to src-dst-ip-sport-dport (L4). If dp-load-distribution-method is set to src-dst-ip method, there is a 10GB bandwidth limitation on DP for connections started from same client go to same destination.  For example, huge backups from same source and destination may experience slowness due to DP 10G bandwidth limitation.

Configuration steps to implement this workaround.

It is recommended to perform the following procedure during a scheduled maintenance window.
- Use secondary IP on interface to listen SSLVPN sessions
- Changing load balancing method to src-dst-ip (L3) from src-dst-ip-sport-dport (L4)
- Forward all tunnel mode traffic to Master or any FPC on secondary IP.


Network Topology.

This configuration accepts SSL VPN web mode connections at IP address 10.0.11.64, port 8443 and load balances them to all FPCs.
This configuration also accepts SSL VPN tunnel mode connections at IP address 10.0.11.65, port 8443 and sends them to FPC3.



Tunnel-mode.

Web-mode
Remote user-----wan----6k(all FPCs)---------LAN
                                            Primary IP
                                            10.0.11.64
                                            port 8443
Tunnel-mode
Remote user ----wan----6K(FPC3)-------------LAN
                                            Secondary IP
                                            10.0.11.65
                                            port 8443

                                                  
1) To configure a secondary IP address.

From GUI.
Go to Network -> Interfaces, select 'Edit' or 'Create New' and enable the secondary IP address option and create the secondary IP address 10.0.11.65. Select 'OK'.

 edit "SSLVPN"
        set vdom "RemoteVPN"
        set ip 10.0.11.64 255.255.255.0       
        set secondary-IP enable
        set interface "LAN"
        set vlanid 311
        config secondaryip
            edit 1
                set ip 10.0.11.65 255.255.255.0               
            next
        end

2) Change the load balancing method to 'src-dst-ip'.

SSL VPN web mode traffic to the primary IP is load balanced using 'src-dst-ip' load balancing.

# config global
# config load-balance setting

    set dp-load-distribution-method src-dst-ip
end

3) Add a new load balancing flow rule to forward SSL VPN tunnel traffic to FPC3. The flow rule must have destination IP 10.0.11.65 255.255.255.255 and destination port 8443.

For example: Tunnel traffic forwarded to FPC 3.

# config load-balance flow-rule
   
edit 0
        set status enable
        set ether-type ipv4
        set dst-addr-ipv4 10.0.11.65 255.255.255.255
        set dst-l4port 8443-8443
        set forward-slot FPC3
        set comment "SSLVPN tunnel traffic to FPC 3"
    end

4) Disable all other SSL VPN flow rules.

Once the above configuration is applied and users connect to SSL VPN using tunnel mode, the sessions created on FPC 3 are visible.





 
 
Sniffer output when client is allocated with 10.212.134.200 from VPN pool and SSH to internal resource 10.0.14.20 through FPC3.
 
 
 
 
Web mode load balancing, when separate sessions initiated from different source hosts 10.0.0.20 and 10.0.0.21 sessions created on different FPC’s, FPC06 and FPC03 are visible.
Sniffer output :
 
 
 
Sessions on both FPC03 and FPC06 :
 
 
 

 

 

Related Articles

Technical Tip: SSL VPN in web mode use a lot of CPU and memory resources

Contributors