Load Balancing IPSEC VPN UDP-500 & UDP-4500
JonE
Member ✭
Hi,
I'm trying to load balance multiple client IPSEC VPN connections to 2 servers, this is part of a Microsoft Always-On VPN solution
We have it working when I have just one server configured, but I think I need to manage the traffic so that the SRC hosts UDP-4500 traffic follows the same SRC hosts UDP-500 traffic so they both hit the same backend server. Otherwise UDP-500 traffic may go to one server and UDP-4500 to the other, which I don't think will work.
The two servers are not peered, or even aware of each other so a particular SRCs traffic really needs to always hit the same server. With multiple SRC Hosts being distributed between the servers ideally 50/50.
I've looked at templates, in particular the SRC-IP template, but am not sure if this can be used to achieve the level of traffic management required ?
I've found information via searching for Kemp LoadMaster to achieve this, but have been unable to find a A10 solution. https://directaccess.richardhicks.com/2019/11/18/always-on-vpn-ikev2-load-balancing-issue-with-kemp-loadmaster/
Does someone know how I can achieve this port following behaviour ?
Thanks.
Comments
If you use the same source-ip persistence template on both virtual ports and set the match type to server, this will populate the persistence table at the server level rather than the virtual port level:
I believe that should accomplish your goals.
To check my understanding, if I configure it as below the persistence should work so a single client always hits the same server ?
<code>
!
slb server RAS1 192.168.99.8
port 500 udp
port 4500 udp
!
slb server RAS2 192.168.99.9
port 500 udp
port 4500 udp
!
slb service-group VPN-UDP-4500 udp
member RAS1 4500
member RAS2 4500
!
slb service-group VPN-UDP-500 udp
member RAS1 500
member RAS2 500
!
slb template persist source-ip VPN-PERSIST
match-type server
!
slb virtual-server MS-AoVPN 192.168.98.1 /32
description MS Always-On-VPN
port 500 udp
service-group VPN-UDP-500
template persist source-ip VPN-PERSIST
port 4500 udp
service-group VPN-UDP-4500
template persist source-ip VPN-PERSIST
!
</code>
😀
That looks correct to me! I've used the exact same approach for transparent proxy load balancing such that port 80 and 443 hit the same proxy.
Hi Jon,
I am aware of a deployment with one of my customers and they load balance across multiple IPSEC tunnels. I haven't tested with the msft always on vpn, but this should work (add port 4500 and such if you want to leverage NAT transversal instead). They use no-dest-nat so the destination IP doesn't change, this may or may not work for you depending on your routing and such.
This is a sample config they use:
Just a note - I highly recommend avoid using this within a health monitor with :
"strict-retry-on-server-err-resp " - quick flaps up/down of servers can cause churn and split the sessions. (very unique case - must flap quickly and have reselect enabled as well)
-sample:
slb template port template_delsessiondown
del-session-on-server-down
slb template udp template_reselectifdown
re-select-if-server-down
slb template persist source-ip persist-source-ip
match-type server
slb server s_server1 10.0.0.1
port 0 udp
health-check-disable
port 500 udp
health-check-disable
slb server s_server2 10.0.0.2
port 0 udp
health-check-disable
port 500 udp
health-check-disable
slb service-group sg_IPSEC500 udp
template port template_delsessiondown
member s_server1 500
member s_server2 500
slb service-group sg_UDP_ESP-AH-OTHERS udp
template port template_delsessiondown
member s_server1 0
member s_server2 0
slb virtual-server vip_IPSEC 1.1.1.1 /32
disable-when-all-ports-down
port 0 others
service-group sg_UDP_ESP-AH-OTHERS
template persist source-ip persist-source-ip
template udp template_reselectifdown
no-dest-nat
port 500 udp
service-group sg_IPSEC500
template persist source-ip persist-source-ip
template udp template_reselectifdown
no-dest-nat
Feel free to reach out to me at adupuislund@a10networks.com - if you have further questions / issues!
Thanks Guys, your replies have led me straight to a working configuration. Following holiday / family bereavement / other work commitments we now have this up and running.
The config below is working fine, and thought I would share to say thanks and in case it helps others.
Our front end Virtual Server IP is 192.168.98.1
The two RAS servers are, 192.168.99.8 & 192.168.99.9
```
!
slb server S-MS-AoVPN-RAS1 192.168.99.8
port 500 udp
health-check-disable
port 4500 udp
health-check-disable
!
slb server S-MS-AoVPN-RAS2 192.168.99.9
port 500 udp
health-check-disable
port 4500 udp
health-check-disable
!
slb service-group SG-MS-AoVPN-UDP-4500 udp
template port template_delsessiondown
member S-MS-AoVPN-RAS1 4500
member S-MS-AoVPN-RAS2 4500
!
slb service-group SG-MS-AoVPN-UDP-500 udp
template port template_delsessiondown
member S-MS-AoVPN-RAS1 500
member S-MS-AoVPN-RAS2 500
!
slb template persist source-ip T-MS-AoVPN-SRC-IP
match-type server
!
slb template udp template_reselectifdown
re-select-if-server-down
!
slb virtual-server VS-MS-AoVPN 192.168.98.1 /32
disable-when-all-ports-down
port 500 udp
service-group SG-MS-AoVPN-UDP-500
template persist source-ip T-MS-AoVPN-SRC-IP
template udp template_reselectifdown
port 4500 udp
service-group SG-MS-AoVPN-UDP-4500
template persist source-ip T-MS-AoVPN-SRC-IP
template udp template_reselectifdown
!
```