Forum Discussion

andbos_177202's avatar
andbos_177202
Icon for Nimbostratus rankNimbostratus
Oct 27, 2017

ISAKMP packets dropped

Hi,

 

I'm trying to move a site-to-site IPsec tunnel from a Cisco ASA 5505 and a BIG-IP LTM+AFM version 12.1.0. The tunnel was up and traffic flowed properly when the tunnel was terminated on ASA but not any longer. I have configured IKE phase 1 and IPsec phase 2 and traffic selectors with same parameters that were configured on the ASA and I have also configured a forwardning virtual server but my BIG-IP seems to drop ISAKMP traffic, it answers back to the peer with ICMP port 500 unreachable. What can be wrong? Am I missing something in Network Firewall? I have added ESP and ISAKMP to the Global rule and I can see Count increasing. But phase 1 doesn't work anyway.

 

I have followed https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-tmos-tunnels-ipsec-12-1-0/10.html

 

Best regards, Andreas

 

  • I'm using the IP of a floating Self IP as local peer in the IPsec policy, mode is tunnel.

     

  • Port Lockdown on the Self IP was Allow none (default). I added to Custom with udp/500 and ip proto 50 set but unfortunately it didn't help.

     

  • Problem solved by changing mode in the IPsec profile first to IPsec interface and then back to Tunnel again... After this "change" the tunnel got up and I was able to reach the private network on the other side of the tunnel.

     

    • andbos_177202's avatar
      andbos_177202
      Icon for Nimbostratus rankNimbostratus

      Thanks. We upgraded the unit to 12.1.2 during spring for another reasons. We moved the IPsec tunnels back to the ASA immediately after hitting the reported problem and haven't tried moving the tunnels again. In future we will maybe get a chance to test and check if problem has indeed been solved in later releases.

       

    • andbos_177202's avatar
      andbos_177202
      Icon for Nimbostratus rankNimbostratus

      Thanks. We upgraded the unit to 12.1.2 during spring for another reasons. We moved the IPsec tunnels back to the ASA immediately after hitting the reported problem and haven't tried moving the tunnels again. In future we will maybe get a chance to test and check if problem has indeed been solved in later releases.