It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

How to Configure Session Balancing for VPN Tunnels with SD-WAN

  • Last updated on

Session-based balancing for multi-transport TINA VPN tunnels is enabled per access rule in the SD-WAN settings of the custom connection object. Session balancing can use a static round robin or an adaptive weighted round robin balancing policy:

  • (Static) Session Balancing – Sessions are distributed over the configured transports by using a round-robin stye balancing policy. If used without adaptive balancing, it is recommended to use transports of similar bandwidth and latency (Round Trip Time). Static balancing is available for all transport protocols. Static session balancing can be configured to balance over multiple transports in the same SD-WAN class based on the defined SD-WAN ID range.
  • Adaptive Session Balancing – All sessions are initially balanced statically over the primary and secondary transports. Link quality metrics gathered by Dynamic Bandwidth and Latency Detection are then used to rebalance sessions with lifetimes over 5 seconds to use the optimal transport. Shorter sessions are not rebalanced. Adaptive session balancing is available only on UDP transports. It is not possible to use session balancing with all transports in a class.

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

Step 1. (Adaptive Session Balancing only) Enable Dynamic Bandwidth and Latency Detection for the VPN Transports

On both VPN endpoints, edit the TINA site-to-site VPN tunnel to enable Dynamic Bandwidth and Round Trip Time Detection.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN Service > Site to Site VPN.
  2. Click Lock.
  3. Double-click the TINA VPN tunnel transport. The TINA Tunnel Transport window opens.
  4. Click the SD-WAN - Bandwidth Protection tab.
  5. From the Dynamic Bandwidth Detection list, select a policy:
    • Active Probing and Passive Monitoring
    • Active Probing Only
    • No Probing - use Estimated Bandwidth
  6. Enter the Estimated Bandwidth bandwidth.
  7. (optional) From the Bandwidth Policy list, select Consolidated Shaping and select the Assigned QoS Profile. For more information, see TINA Tunnel Settings.
    adapt_bandw_protection.png
  8. Click OK.
  9. Click Send Changes and Activate.

To verify that Dynamic Bandwidth and Round Trip Time Detection is running, go to VPN > Site-to-Site. Right-click the transport and select Monitor Traffic.

TI_session_balancing_00a.png

Step 2. Create a Custom Connection Object for the Firewall Acting as SD-WAN Primary

Configure session balancing with explicit transport selection. You can balance between the primary and secondary transport, or over multiple IDs of the primary transport class.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.
  4. In the Name field, enter a name for the connection object.
  5. From the Translated Source IP list, select Original Source IP.
    TI_session_balacing_01.png
  6. To edit the VPN SD-WAN settings, click Edit/Show... . The SD-WAN Settings window opens.  

  7. From the SD-WAN Learning Policy drop-down list, select Primary.

    Feature Level 8Feature Level 9

    ti_FL8_add_primary.png

    ti_FL9_add_primary.png

    • Primary Transport Class – Select the SD-WAN class of the primary transport. 
    • Primary Transport ID – Select the ID for the primary transport.Configure the primary transport class and ID:
  8. Feature Level 8Feature Level 9

    TI_FL8_session_balancing_primary_settings.png

    TI_FL9_explicit_transport_selection_primary_settings.png

  9. (Balancing between primary and secondary transports only) Configure the secondary transport class and ID: 
    • Secondary Transport Class – Select the SD-WAN class secondary transport. 
    • Secondary Transport ID – Select the ID for the secondary transport.
    Feature Level 8Feature Level 9

    TI_FL8_explicit_transport_selection_secondary_settings.png

    TI_FL9_explicit_transport_selection_secondary_settings.png

  10. Click OK.
  11. Click Send Changes and Activate.

Step 3. Create a Custom Connection Object for the Firewall Acting as SD-WAN Secondary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.
  4. Enter a Name.
  5. From the Translated Source IP list, select Original Source IP.
    performance_based_transport_selection_01a.png
  6. To edit the VPN SD-WAN settings, click Edit/Show... . The SD-WAN Settings window opens.

  7. From the SD-WAN Learning Policy drop-down list, select Secondary.

    Feature Level 8Feature Level 9

    TI_FL8_transport_policies_add_secondary_settings.png

    TI_FL9_transport_policies_add_secondary_settings.png

  8. Click OK.
  9. Click Send Changes and Activate.

Step 4. Modify the Access Rule on the Firewall Acting as SD-WAN Primary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service– Select a service object from the list.
    • Destination – Select the network object containing the remote networks
    • Connection Method – Select the connection object for the SD-WAN Primary created in Step 2.
    TI_session_balacing_04.png
  4. Click OK.
  5. Click Send Changes and Activate.

Step 5. Modify the Access Rule on the Firewall Acting as SD-WAN Secondary

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks
    • Connection Method – Select the connection object for the SD-WAN Secondary created in Step 3.
    TI_session_balacing_04a.png
  4. Click OK.
  5. Click Send Changes and Activate.