Forum Discussion
NimbostratusQuestions about VPN (site to site)
Hello All,
I have setup few site to site VPNs between 2 bigips and between bigip and cisco asa. However I am having issue communication to the far end.
So let me draw a little diagram
node 1 --> cisco ASA ---->site to stie VPN --> F5 --> node2 ------ this works fine however
F5 --> node2 ---->site to stie VPN --> cisco asa ---> node 1 ----- this doesn't work
So I have tuned on the debug logging for racoon and I can the following :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2014-04-13 16:12:27: DEBUG: evaluating sainfo: loc='172.10.0.0/16', rmt='192.168.0.0/21', peer='ANY', id=0
2014-04-13 16:12:27: DEBUG: evaluating sainfo: loc='192.168.0.0/21', rmt='172.10.0.0/16', peer='ANY', id=0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2014-04-13 16:12:27: DEBUG: getsainfo pass 2
2014-04-13 16:12:27: DEBUG: evaluating sainfo: loc='172.10.0.0/16', rmt='192.168.0.0/21', peer='ANY', id=0
2014-04-13 16:12:27: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2014-04-13 16:12:27: DEBUG: cmpid target: '192.168.0.0/23'
2014-04-13 16:12:27: DEBUG: cmpid source: '172.10.0.0/16'
2014-04-13 16:12:27: DEBUG: evaluating sainfo: loc='192.168.0.0/21', rmt='172.10.0.0/16', peer='ANY', id=0
2014-04-13 16:12:27: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2014-04-13 16:12:27: DEBUG: cmpid target: '192.168.0.0/23'
2014-04-13 16:12:27: DEBUG: cmpid source: '192.168.0.0/21'
I am not sure why at one place it is recording /23 and other place it is recoding /21 of the same ip range i.e '192.168.0.0/23' and '192.168.0.0/21'.
Did anyone else come across this issue ?
1 Reply
JanaAltostratus
This is generally related to the proxy-ids, which should match on both sides.
Please verify if the netmasks of the traffic-selector configuration on the bigip match the netmasks of interesting traffic acls defined on the cisco asa. Check for any typos in the netmasks (not readily visible in dotted decimal format).
