Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Microsoft Always On VPN Load Balancing

mbrandon32
Cirrus
Cirrus

‎01-Dec-2021 08:09

We are in the process of implementing AOVPN and have it up and running successfully. Currently, we have SNAT set to Automap so the connections on the RRAS side are showing the F5 self IP as the source. With this, the server team noticed that there is an SA limit of 35 sessions per source IP address, which obviously presents scalability issues. Also, for security purposes, they'd like to see the originating public IP of the end user.

 

One thought I had for scalability was to implement a dedicated SNAT pool for the AOVPN deployment alone but that still won't allow us to reveal the originating public IP.

 

I am not finding any documentation outside of the Richard Hicks posts on this type of deployment. In his posts he does state to leave SNAT as "None" - however, this will introduce an asymmetric routing issue - as we have tested and confirmed.

 

Has anyone else implemented and how did you accomplish this successfully?

Labels:
0 Kudos
1 REPLY 1

HenrikDK
Nimbostratus
Nimbostratus

‎13-Nov-2022 04:24

Hi mbrandon32

Did you find a solution for this asymmetric routing issue?

We also use F5 for loadbalance for our AlwaysOn VPN, but use Auto MAP for SNAT at the moment.

 

0 Kudos
Copyright © 2023 Khoros, LLC