Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Microsoft Always On VPN Load Balancing

mbrandon32
Cirrus
Cirrus

We are in the process of implementing AOVPN and have it up and running successfully. Currently, we have SNAT set to Automap so the connections on the RRAS side are showing the F5 self IP as the source. With this, the server team noticed that there is an SA limit of 35 sessions per source IP address, which obviously presents scalability issues. Also, for security purposes, they'd like to see the originating public IP of the end user.

 

One thought I had for scalability was to implement a dedicated SNAT pool for the AOVPN deployment alone but that still won't allow us to reveal the originating public IP.

 

I am not finding any documentation outside of the Richard Hicks posts on this type of deployment. In his posts he does state to leave SNAT as "None" - however, this will introduce an asymmetric routing issue - as we have tested and confirmed.

 

Has anyone else implemented and how did you accomplish this successfully?

1 REPLY 1

HenrikDK
Nimbostratus
Nimbostratus

Hi mbrandon32

Did you find a solution for this asymmetric routing issue?

We also use F5 for loadbalance for our AlwaysOn VPN, but use Auto MAP for SNAT at the moment.