Load Balancing IPSEC VPN UDP-500 & UDP-4500

Hi,
I’m trying to load balance multiple client IPSEC VPN connections to 2 servers, this is part of a Microsoft Always-On VPN solution
We have it working when I have just one server configured, but I think I need to manage the traffic so that the SRC hosts UDP-4500 traffic follows the same SRC hosts UDP-500 traffic so they both hit the same backend server. Otherwise UDP-500 traffic may go to one server and UDP-4500 to the other, which I don’t think will work.
The two servers are not peered, or even aware of each other so a particular SRCs traffic really needs to always hit the same server. With multiple SRC Hosts being distributed between the servers ideally 50/50.
I’ve looked at templates, in particular the SRC-IP template, but am not sure if this can be used to achieve the level of traffic management required ?
I’ve found information via searching for Kemp LoadMaster to achieve this, but have been unable to find a A10 solution.
https://directaccess.richardhicks.com/2019/11/18/always-on-vpn-ikev2-load-balancing-issue-with-kemp-loadmaster/
Does someone know how I can achieve this port following behaviour ?
Thanks.

If you use the same source-ip persistence template on both virtual ports and set the match type to server, this will populate the persistence table at the server level rather than the virtual port level:

slb template persist source-ip vpn-persist
  match-type server

I believe that should accomplish your goals.

To check my understanding, if I configure it as below the persistence should work so a single client always hits the same server ?

!
slb server RAS1 192.168.99.8 
 port 500 udp 
 port 4500 udp 
!
slb server RAS2 192.168.99.9 
 port 500 udp 
 port 4500 udp 
!
slb service-group VPN-UDP-4500 udp 
 member RAS1 4500 
 member RAS2 4500 
!
slb service-group VPN-UDP-500 udp 
 member RAS1 500 
 member RAS2 500 
!    
slb template persist source-ip VPN-PERSIST 
 match-type server
!    
slb virtual-server MS-AoVPN 192.168.98.1 /32 
 description MS Always-On-VPN
 port 500 udp 
  service-group VPN-UDP-500 
  template persist source-ip VPN-PERSIST 
 port 4500 udp 
  service-group VPN-UDP-4500 
  template persist source-ip VPN-PERSIST 
!  


That looks correct to me! I’ve used the exact same approach for transparent proxy load balancing such that port 80 and 443 hit the same proxy.

Hi Jon,

I am aware of a deployment with one of my customers and they load balance across multiple IPSEC tunnels. I haven’t tested with the msft always on vpn, but this should work (add port 4500 and such if you want to leverage NAT transversal instead). They use no-dest-nat so the destination IP doesn’t change, this may or may not work for you depending on your routing and such.

This is a sample config they use:

Just a note - I highly recommend avoid using this within a health monitor with :
"strict-retry-on-server-err-resp " - quick flaps up/down of servers can cause churn and split the sessions. (very unique case - must flap quickly and have reselect enabled as well)

-sample:

slb template port template_delsessiondown 
 del-session-on-server-down

slb template udp template_reselectifdown
 re-select-if-server-down

slb template persist source-ip persist-source-ip 
 match-type server

slb server s_server1 10.0.0.1 
 port 0 udp 
  health-check-disable
 port 500 udp 
  health-check-disable

slb server s_server2 10.0.0.2 
 port 0 udp 
  health-check-disable
 port 500 udp 
  health-check-disable

slb service-group sg_IPSEC500 udp
 template port template_delsessiondown
 member s_server1 500
 member s_server2 500

slb service-group sg_UDP_ESP-AH-OTHERS udp
 template port template_delsessiondown
 member s_server1 0
 member s_server2 0

slb virtual-server vip_IPSEC 1.1.1.1 /32 
 disable-when-all-ports-down 
 port 0 others
  service-group sg_UDP_ESP-AH-OTHERS 
  template persist source-ip persist-source-ip  
  template udp template_reselectifdown
  no-dest-nat
 port 500 udp 
  service-group sg_IPSEC500
  template persist source-ip persist-source-ip  
  template udp template_reselectifdown
  no-dest-nat

Feel free to reach out to me at adupuislund@a10networks.com - if you have further questions / issues!

Thanks Guys, your replies have led me straight to a working configuration. Following holiday / family bereavement / other work commitments we now have this up and running.
The config below is working fine, and thought I would share to say thanks and in case it helps others.
Our front end Virtual Server IP is 192.168.98.1
The two RAS servers are, 192.168.99.8 & 192.168.99.9

!
slb server S-MS-AoVPN-RAS1 192.168.99.8 
  port 500 udp 
    health-check-disable 
  port 4500 udp 
    health-check-disable 
!
slb server S-MS-AoVPN-RAS2 192.168.99.9 
  port 500 udp 
    health-check-disable 
  port 4500 udp 
    health-check-disable 
!
slb service-group SG-MS-AoVPN-UDP-4500 udp 
  template port template_delsessiondown 
  member S-MS-AoVPN-RAS1 4500 
  member S-MS-AoVPN-RAS2 4500 
!
slb service-group SG-MS-AoVPN-UDP-500 udp 
  template port template_delsessiondown 
  member S-MS-AoVPN-RAS1 500 
  member S-MS-AoVPN-RAS2 500 
!
slb template persist source-ip T-MS-AoVPN-SRC-IP 
  match-type server 
!
slb template udp template_reselectifdown 
  re-select-if-server-down 
!
slb virtual-server VS-MS-AoVPN 192.168.98.1 /32 
  disable-when-all-ports-down 
  port 500 udp 
    service-group SG-MS-AoVPN-UDP-500 
    template persist source-ip T-MS-AoVPN-SRC-IP 
    template udp template_reselectifdown 
  port 4500 udp 
    service-group SG-MS-AoVPN-UDP-4500 
    template persist source-ip T-MS-AoVPN-SRC-IP 
    template udp template_reselectifdown 
!