Jump to content
Welcome to our new Citrix community!

How to load balance IKEv2?


MBi

Recommended Posts

Hello,

We are using AlwaysON VPN from Microsoft that use IKEv2 protocol (500/udp, 4500/udp). This not the same as DirectAccess.

The problem is that when we configure the Netscaler to load balance connexions then Windows 10 clients can not connect (it try and disconnect after a few seconds). As soon as we put one of both RAS server in maintenance then it works.

It seems we cannot load balance IKEv2 connexion. We use persistant connexions (source IP,..)

How can we make it working?

Thanks in advance.

 

 

 

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

@MBi

Is NAT being used in your environment? If so, it's likely that the sessions are starting on one server and then moving to the other after NAT is discovered. The second connection using 4500 probably goes to server 2 after NAT discovery, which isn't aware of the previous connection. 

When you deactivate one server, then all traffic is forced only to the other, which is why it works correctly.

Link to comment
Share on other sites

  • 11 months later...

Sorry to drag up an old thread but am stuck. Have setup multiple Loadbalanced VIPs with same IP with UDP 500 and UDP 4500 and two RRAS servers in a service group attached and am having issues too. OP did you ever get that sorted? Were you using Any for the protocol or specifying UDP. Going to have to do a trace and see where its breaking down but I think what you might be missing would be a Persistent Group to keep both 500 and 4500 tied to the same host.

 

Thanks

Link to comment
Share on other sites

  • 7 months later...
On 8/6/2019 at 10:15 AM, Alan Behan said:

Sorry to drag up an old thread but am stuck. Have setup multiple Loadbalanced VIPs with same IP with UDP 500 and UDP 4500 and two RRAS servers in a service group attached and am having issues too. OP did you ever get that sorted? Were you using Any for the protocol or specifying UDP. Going to have to do a trace and see where its breaking down but I think what you might be missing would be a Persistent Group to keep both 500 and 4500 tied to the same host.

 

Thanks

I got this exact solution to work by having 2 LB VS, one for UDP 500 and one for UDP 4500.  A persistency group keeps the connection going to the same server once the connection has been established (UDP 500) and the data channel is opened to UDP 4500

Link to comment
Share on other sites

On 3/23/2020 at 9:59 PM, Aaron Hutchinson said:

I got this exact solution to work by having 2 LB VS, one for UDP 500 and one for UDP 4500.  A persistency group keeps the connection going to the same server once the connection has been established (UDP 500) and the data channel is opened to UDP 4500

 

Great - yes also got it to work. 

I have it working at the moment with an ANY Protocol / ANY Port and a listen policy which works too but might flip it back to using UDP and separate LB VS. Only reason I change it was an environment issue that caused it to not behave as expected. Multiple clients behind a single IP which throw out the LB / Persistency but as that's identified as an environment issue and not a feature of the netscaler i might move it back. 

One thing I have yet to do is tweek the Client Timeout values from the defaults as finding sometimes when VPN disconnects or broadband drops temporarily that re-connects don't always happen correctly (but that maybe a "feature" of Win10). 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...