Microsoft Always On VPN Load Balancing

Question

We are in the process of implementing AOVPN and have it up and running successfully. Currently, we have SNAT set to Automap so the connections on the RRAS side are showing the F5 self IP as the source. With this, the server team noticed that there is an SA limit of 35 sessions per source IP address, which obviously presents scalability issues. Also, for security purposes, they'd like to see the originating public IP of the end user.

One thought I had for scalability was to implement a dedicated SNAT pool for the AOVPN deployment alone but that still won't allow us to reveal the originating public IP.

I am not finding any documentation outside of the Richard Hicks posts on this type of deployment. In his posts he does state to leave SNAT as "None" - however, this will introduce an asymmetric routing issue - as we have tested and confirmed.

Has anyone else implemented and how did you accomplish this successfully?

henrikdk · Answer

Hi mbrandon32Did you find a solution for this&nbsp;asymmetric routing issue?We also use F5 for loadbalance for our AlwaysOn VPN, but use Auto MAP for SNAT at the moment.&nbsp;

Forum Discussion

Microsoft Always On VPN Load Balancing

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Microsoft 365 IP Steering python Script

Microsoft Powershell with iControl

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Exploring the Zero Trust Models of AWS, Microsoft, and Google

Load Balancing TCP TLS Encrypted Syslog Messages

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS