Forum Discussion

mbrandon32's avatar
Dec 01, 2021

Microsoft Always On VPN Load Balancing

We are in the process of implementing AOVPN and have it up and running successfully. Currently, we have SNAT set to Automap so the connections on the RRAS side are showing the F5 self IP as the source. With this, the server team noticed that there is an SA limit of 35 sessions per source IP address, which obviously presents scalability issues. Also, for security purposes, they'd like to see the originating public IP of the end user.

 

One thought I had for scalability was to implement a dedicated SNAT pool for the AOVPN deployment alone but that still won't allow us to reveal the originating public IP.

 

I am not finding any documentation outside of the Richard Hicks posts on this type of deployment. In his posts he does state to leave SNAT as "None" - however, this will introduce an asymmetric routing issue - as we have tested and confirmed.

 

Has anyone else implemented and how did you accomplish this successfully?

1 Reply

  • Hi mbrandon32

    Did you find a solution for this asymmetric routing issue?

    We also use F5 for loadbalance for our AlwaysOn VPN, but use Auto MAP for SNAT at the moment.