For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Fabien_V__28825's avatar
Fabien_V__28825
Icon for Nimbostratus rankNimbostratus
Jun 19, 2013

IPSec peristence on F5 LTM

Hi all !

 

I have one problem on VPN IPSec persistence for which I have no solution actually.

 

The architecture is like this :

 

Firewall(s) <=> LTM <=> Multiple Routers <=> Internet <=> Firewall(s)

 

All VPN IPSec are between our firewalls and customers firewalls. We have multiple ISPs to forward trafic using Pool of gateways (containing our routers weighted by Priority Group automatic activation).

 

So traffic is going through Forwarding VS like :

 

From inside

 

virtual FWD_INT_0.0.0.0-0 {

 

destination any:any

 

mask 0.0.0.0

 

profiles fastL4-NO_SYN {}

 

vlans external disable

 

}

 

From outside :

 

virtual FW_EXT_a.b.c.d_24 {

 

destination a.b.c.d:any

 

mask 255.255.255.0

 

profiles fastL4-NO_SYN {}

 

vlans internal disable

 

}

 

Fast L4 with no syn is like this :

 

profile fastL4 fastL4 {

 

reset on timeout enable

 

reassemble fragments disable

 

idle timeout 2000

 

tcp handshake timeout 5

 

tcp close timeout 5

 

mss override 0

 

pva acceleration full

 

tcp timestamp preserve

 

tcp wscale preserve

 

tcp generate isn disable

 

tcp strip sack disable

 

ip tos to client pass

 

ip tos to server pass

 

link qos to client pass

 

link qos to server pass

 

rtt from client disable

 

rtt from server disable

 

loose initiation disable

 

loose close disable

 

hardware syncookie disable

 

software syncookie disable

 

}

 

profile fastL4 fastL4-NO_SYN {

 

defaults from fastL4

 

loose initiation enable

 

loose close enable

 

}

 

When one of our router is down, or trafic is routed through other links due to Priority Group activation, we have persistence problems on the LTM on isakmp, ike, udp protocols. Killing the session using tmsh solved the problem, but this action is manual.

 

Is anything I can do to avoid persistence on VPN IPSec protocols ?

 

Thanks in advance for your help.

 

Fabien VINCENT

 

config
design

3 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 19, 2013
    just wondering if source address persistence with match across service helps.

     

     

    sol5837: Match Across options for session persistence

     

    http://support.f5.com/kb/en-us/solutions/public/5000/800/sol5837.html
  • Fabien_V__28825's avatar
    Fabien_V__28825
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2013
    There is no persistence and no pools configured on Forwarding VS .... So I'm not sure we speak about the same thing. I speak about persistent connections on the LTM.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 20, 2013
    There is no persistence and no pools configured on Forwarding VS .... So I'm not sure we speak about the same thing. I speak about persistent connections on the LTM.sorry to not explain well. i thought the problem is on FWD_INT_0.0.0.0-0 virtual server and wondered if changing virtual server type to performance L4 with source address persistence and using gateway as a pool helps. in case if you have more than one virtual server to handle ipsec traffic, match across service may also be used.

     

     

    just my 2 cents.