Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff

Created on ‎09-13-2019 01:45 AM Edited on ‎11-23-2021 03:03 AM By Community Manager

Article Id 194270

Troubleshooting Tip: Solution - RDP freezing over SSL VPN Tunnels created using SD-WAN with Volume-based Load-Balancing

Description
This article describes how to resolve RDP session freezing issue faced for SSL VPN Tunnels clients created using one of the member interface of the SD-WAN set-up in Volume-based Load-Balance method.

Solution
EXPLANATION OF PROBLEM DESCRIPTION:

1) SSL VPN tunnel mode via fortiClient is facing RDP freezing for around 15-20sec every 5-10min. Other services are working fine excepts RDP.

2) “preserve-session-route” enabled on interfaces.

#config system interface
edit "port4"
set preserve-session-route enable
next
edit "port14"
set preserve-session-route enable
end

3) SSL VPN has defined with port4 and port14 source-interface.

#config vpn ssl settings
set source-interface "port4" "port14"
end

4) SD-WAN defined with port4 and port14 member interface.
    Volume-ratio 100 has been set on port4 with the expectation that port4 will act as primary and if port4 will go down then port14 will carry the traffic as backup link.

#config system virtual-wan-link
    set status enable
    set load-balance-mode measured-volume-based 
    config members
        edit 1
            set interface "port4"
            set gateway 10.10.10.9
            set volume-ratio 100
        next
        edit 2
            set interface "port14"
            set gateway 192.168.100.9
        next
    end
    config health-check
        edit "google"
            set server "8.8.8.8"
            set members 1 2
                next
            end
        next
    end
end

#config router static
    edit 1
        set distance 1
        set virtual-wan-link enable
    next
end

5) As per the virtual-wan-link debug logs, it is seen that at the time SSL VPN user observe the RDP session freezing, SD-WAN uninstalls default route for both port4 & port14 and re-installs default route for port4 with higher weight and port14 with weight 0 so that port14 would be preferred one.

#diagnose debug application virtual-wan-link -1
#diagnose debug enable
2019-07-26 13:07:01 vwl_route_uninstall()-94: del route 0.0.0.0 0.0.0.0, gw(10.10.10.9), oif(port4, 22), distance/prio(1/0)
2019-07-26 13:07:01 vwl_route_uninstall()-94: del route 0.0.0.0 0.0.0.0, gw(192.168.100.9), oif(port14, 10), distance/prio(1/0)

2019-07-26 13:07:01 vwl_route_install()-65: add route 0.0.0.0 0.0.0.0, gw(10.10.10.9), oif(port4, 22), distance/weight/prio(1/39/0)
2019-07-26 13:07:01 vwl_route_install()-65: add route 0.0.0.0 0.0.0.0, gw(192.168.100.9), oif(port14, 10), distance/weight/prio(1/0/0)

2019-07-26 13:32:01 vwl_route_uninstall()-94: del route 0.0.0.0 0.0.0.0, gw(10.10.10.9), oif(port4, 22), distance/prio(1/0)
2019-07-26 13:32:01 vwl_route_uninstall()-94: del route 0.0.0.0 0.0.0.0, gw(192.168.100.9), oif(port14, 10), distance/prio(1/0)

2019-07-26 13:32:01 vwl_route_install()-65: add route 0.0.0.0 0.0.0.0, gw(10.10.10.9), oif(port4, 22), distance/weight/prio(1/28/0)
2019-07-26 13:32:01 vwl_route_install()-65: add route 0.0.0.0 0.0.0.0, gw(192.168.100.9), oif(port14, 10), distance/weight/prio(1/0/0)

SOLUTION:

With measured-volume-based load-balance method, the volume-ratio set on the member interface alters the possibility of choosing the route. In other word, every route has a chance to be chosen no matter what volume-ratio it has.
So, the traffic is load-balanced based on the traffic volumes (in bytes). More traffic is sent to the interface with higher volume ratio.

Going back to the scenario mentioned above, when used measured-volume-based method, there is a chance that the route may change every few minutes when SDWAN recalculate the route weight. If the route changes, RDP session may need to reconnect which leads to freezing.

So, if the requirement is to use one member interface as primary and another as a backup, then priority should be used with source-base load-balance mode.

Please refer the below step to resolve the issue.

- Change load-balance-mode from measured-volume-based to source-ip-based.
- Remove 'set volume-ratio 100' on the primary member interface port4.
- Set higher priority on the port14 than port4 to make it as backup interface. 
#config system virtual-wan-link
    set status enable
    set load-balance-mode source-ip-based                                 
    config members
        edit 1
            set interface "port4"
            set gateway 10.10.10.9
        next
        edit 2
            set interface "port14"
            set gateway 192.168.100.9
            set priority 100   >>> To make port14 as backup interface to port4
        next
    end
    config health-check
        edit "google"
            set server "8.8.8.8"
            set members 1 2
        next
    end
end
15396
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.