Jun 10, 2021

Site to site VPN on the second box



We have a setup with two F5s in Active Passive mode. We would like to have the site to site VPNs run on the second (standby) box. We have traffic-group1 which now has all the elements on it and which is active on BIGIP1. I thought that if I move the llef IP used as tunnel source and the self IP that is the next hop for the L3 switch on the LAN towards the tunnels on traffic group 2 together with the Vitual IPs that are linked to the source traffic subnet and destination traffic subnet it should start working on the second box. But when it becomes active for these self IPs and virtual IPs it does not make any attempts to build the tunnel (as seen in tcpdump).


To put some numbers we have traffic from going to that needs to go into the tunnel. I have L3 forwarding virtual servers for these subnets and their corresponding virtual IPs are moved to traffic group 2. I have the self IP to receive traffic from the LAN from the subnet and the self IP as the source of the tunnel. I moved those two self IPs to the second traffic group and made the "BIGIP2" box active for it. When that was done I saw nothing... Not a single attempt from the BIGIP2 box to start the tunnel , nor any incoming traffic for the tunnel source IP from the internet (this could be an issue on the FW between the internet and the BIGIP2 box, tbd...).


So if anybody has this setup or ideas please let me know. Thank you!




No RepliesBe the first to reply