|
SSLVPN support load balance is now supported in most of the latest firmware of FortiGate-6K/7K Chassis:
SSL VPN load balancing
In certain situations, load balancing cannot be done.
For example, in a situation where the DMZ/internal server is a source initiating connection to the destination as an SSL VPN host.
This situation mostly happens in the VoIP environment when the call server receives a call request and forwards it to the target SSL VPN host.
When the chassis's FIM/MBD receives this type of request, then it will forward to a blade by following the load balancing algorithm, and end the traffic may reach a worker FPM/FPC which does not have the SSL VPN setup to the SSL VPN host and caused the connection dropped.
Solution:
Since this is the limitation of Chassis SSL VPN load balancing, the only way is to disable the SSL VPN load balance and create a flow rule to the master blade.
Disable load balancing for SSL VPN:
config load-balance setting
set sslvpn-load-balance disable
end
Create flow rule to master blade:
config load-balance flow-rule
edit <ID>
set status enable
set ether-type ipv4
set protocol TCP
set dst-l4port <SSLVPN port number>
set forward-slot master
set comment "ssl vpn server to primary worker"
end
|
