Re: iRules for Persistence for Load Balancing Remote VPN requests

umahar · ‎02-10-2017

Hi,

We are planning to deploy F5 Load Balancer in a partially inline fashion because we want to bypass non-LB traffic (replication,AD,etc) from F5.

Looking at the guide we will be using AVP 31 - Calling Station ID for persistence in iRules.

We also have VPN users authenticating. What attributes can be used to achieve true load balancing ?

hslai · ‎02-13-2017

VPN users will have their Internet gateway addresses as the calling station ID so it should be ok to load balance on that. Else, please see if VPN connections have other attributes good for persistency.

umahar · ‎02-13-2017

Hi,

However if we have a single ASA in that case all radius requests would go to the same PSN which essentially wouldn't be a true load balancing.

hslai · ‎02-13-2017

No, unless the corp and the client using the same gateway.

The calling station IDs is usually the internet gateway/router of the client endpoint network.

[ Home Nets ] -- [ Client GW ] -- [ Internet ] -- [ Corp GW ] -- [ ASA ] -- [ Corp Nets ]

In case a big branch instead of home, then you would need to look for other attributes. How about RADIUS:User-Name?

umahar · ‎02-15-2017

Thanks Hsing-Tsu, The CU has parked VPN aside for now.

We will revisit this again in next few weeks.