Description
"Measured-volume-based" WAN Link Load Balancing requires NAT on the Firewall policy for proper functioning of the traffic.
Scope
All FortiOS.
Solution
This article is to explain the importance of NAT in WAN link load balancing, especially with the "Measured-volume-based " applied. It is applicable where there are at least 2 WAN links and WAN LLB is configured.
Without NAT applied on the Firewall policy, it may be noted that sessions disconnect and reconnect automatically and this is seen mainly on sensitive applications passing across the FortiGate.
When this happens it may be due to the switch of the ISPs for the load balancing.
Why ISPs switch?
Usually, the Virtual-wan-link should work with NAT to avoid asymmetric route problem. Additionally, in case of Measured-volume, the routes are updated every 5 minutes to adjust its weight. At this time, the session is flagged as dirty; the existing session would recalculate its outgoing interface. That is the reason why the ISP may change. NAT could also avoid the switch-syndromes.
Troubleshooting Commands
The following commands can be used to confirm the behavior:
# diag sys session filter dst <destination_IP>
# diag sys session list
# diagnose ip rtcache list
As a best practice, NAT is recommended in any type of ECMP load balancing.
