Symptom
FMC/FTD: VPN Load Balancing with Remote Access.
FMC uses a wrong interface as the lbpublic interface. As a result a deployment error can be seen.
FMC >> vpn load-balancing
FMC >> priority 5
FMC >> interface lbpublic Outside2 <--- should be Outside1
FMC >> interface lbprivate Inside-Comm
FMC >> cluster key ******
FMC >> cluster ip address 203.0.113.1 <--- IP from Outside1 address
>> info : Cluster IP address/host name is not on the same subnet as the public interface.
Conditions
1) FMC/FTD with the VPN Load Balancing.
2) Remote Access with more than one interface enabled. In the example below Outside1 and Outside2. Outside1 is used for VPN Load Balancing.
Topology:
(Inside-Comm)FTD1(Outside1 203.0.113.2)
(Outside2 198.51.100.2)
Cluster IP: 203.0.113.1
(Inside-Comm)FTD2(Outside1 203.0.113.3)
(Outside2 198.51.100.3)
Workaround
1. Go to Remote Access Policy -> Access Interfaces. Remove the Outside2 interface. Save.
2. Go to Advanced -> Load Balancing. Disable VPN Load Balancing for the FTDs in Device Participation. Save.
3. Go back to Access Interfaces, re-add Outside2, save, deploy. At this time the Outside1 interface is on top of the Access Interfaces list.
4. Go to Advanced -> Load Balancing. Enabled the VPN LB for the FTDs in Device Participation. Save. Deploy.
Result - lbpublic command is removed, VPN Load Balancer works on Outside1 interface:
vpn load-balancing
interface lbprivate Inside-Comm
cluster ip address 203.0.113.1
participate
While implementing the workaround the SSLVPN is not disabled on the devices, just the VPN Load Balancing is disabled for a moment.
Further Problem Description
FMC does not support selection of lbpublic interface.
As a result apparently VPN LB is configured using the first interface in Access Interfaces.
In some cases FMC start pushing "lbpublic" configuration which is not the correct interface, preventing deployment or proper VPN Load Balancer operation.
