A recent update to the Kemp LoadMaster load balancer may cause failed connections for Always On VPN connections using IKEv2. SSTP VPN connections are unaffected.
Load Balancing IKEv2
When using the Kemp LoadMaster load balancer to load balance IKEv2, custom configuration is required to ensure proper operation. Specifically, the virtual service must be configured to use “port following” to ensure both the initial request on UDP port 500 and the subsequent request on UDP port 4500 are sent to the same real server. This requires the virtual service to be configured to operate at layer 7. Detailed configuration guidance for load balancing IKEv2 on the Kemp LoadMaster load balancer can be found here.
Issues with LMOS 7.2.48.0
A recent release of the Load Master Operating System (LMOS) v7.2.48.0 introduced a bug that affects UDP services configured to operate at layer 7, which includes IKEv2. This bug breaks Always On VPN connections using IKEv2, resulting in failed connections. When this occurs, the administrator may encounter an error 809 message for device tunnel or user tunnel.
Update Available
Administrators who use the Kemp LoadMaster load balancer to load balance Always On VPN IKEv2 connections and have updated to LMOS 7.2.48.0 are encouraged to update to LMOS 7.2.48.1 immediately. This latest update includes a fix that resolves broken IKEv2 load balancing for Always On VPN. Once the LoadMaster has been updated to 7.2.48.1, Always On VPN connections using IKEv2 should complete successfully.
Additional Information
Windows 10 Always On VPN IKEv2 Load Balancing and NAT
Windows 10 Always On VPN IKEv2 Load Balancing with Kemp LoadMaster Load Balancer
Windows 10 Always On VPN SSTP Load Balancing with Kemp LoadMaster Load Balancer
Windows 10 Always On VPN Load Balancing with Kemp LoadMaster in Azure
Windows 10 Always On VPN Load Balancing Deployment Guide for Kemp Load Balancers
