Forum Discussion
andbos_177202
Nimbostratus
NimbostratusISAKMP packets dropped
Hi,
I'm trying to move a site-to-site IPsec tunnel from a Cisco ASA 5505 and a BIG-IP LTM+AFM version 12.1.0. The tunnel was up and traffic flowed properly when the tunnel was terminated on ASA but not any longer. I have configured IKE phase 1 and IPsec phase 2 and traffic selectors with same parameters that were configured on the ASA and I have also configured a forwardning virtual server but my BIG-IP seems to drop ISAKMP traffic, it answers back to the peer with ICMP port 500 unreachable. What can be wrong? Am I missing something in Network Firewall? I have added ESP and ISAKMP to the Global rule and I can see Count increasing. But phase 1 doesn't work anyway.
I have followed https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmos-tunnels-ipsec-12-1-0/10.html
Best regards, Andreas
sounds like you might running into https://support.f5.com/csp/article/K24331010
may consider upgrading
andbos_177202I'm using the IP of a floating Self IP as local peer in the IPsec policy, mode is tunnel.
- andbos_177202
Port Lockdown on the Self IP was Allow none (default). I added to Custom with udp/500 and ip proto 50 set but unfortunately it didn't help.
- andbos_177202
Problem solved by changing mode in the IPsec profile first to IPsec interface and then back to Tunnel again... After this "change" the tunnel got up and I was able to reach the private network on the other side of the tunnel.
Richard_KaronEmployee
sounds like you might running into https://support.f5.com/csp/article/K24331010
may consider upgrading
- andbos_177202
Thanks. We upgraded the unit to 12.1.2 during spring for another reasons. We moved the IPsec tunnels back to the ASA immediately after hitting the reported problem and haven't tried moving the tunnels again. In future we will maybe get a chance to test and check if problem has indeed been solved in later releases.
sounds like you might running into https://support.f5.com/csp/article/K24331010
may consider upgrading
- andbos_177202
Thanks. We upgraded the unit to 12.1.2 during spring for another reasons. We moved the IPsec tunnels back to the ASA immediately after hitting the reported problem and haven't tried moving the tunnels again. In future we will maybe get a chance to test and check if problem has indeed been solved in later releases.