VPN connection behind F5 Link controller

I was looking for a way to have the ASA's independently determine failure and transition to a new gateway.

Initially the engineers in my company and I built a pair of VS's that NATed a remote ASA. When this didn;t work as expected I traced the comms on either side and noticed that the F5 was sending an ICMP host unreachable, port unreachable back from the SNAT address associated with the Virtual server, when the ASA's were shifting to udp port 4500 for the NAT-T. This was in spite of an existing connection in the conn table that showed the mapping in a manner we would expect.

The solution we used (for now at least we are still playing around with it) was to create a new pair of virtual servers using the SNAT interface IPs from the original VS's (Standard VS UDP port 4500) in the reverse direction.

This allowed the return traffic to flow back to the original ASA and a tunnel successfully established.

It seems strange though, the IKEv1 traffic flowed back and forth with a single VS, there was no need to map another in the reverse direction.

However when the originating ASA sent port 4500 traffic (the continuation of the Phase 2 setup wrapped in a udp tunnel) the traffic made it to the remote ASA, but when the Remote responded in kind we observed the port unreachable error coming form the F5.

This lead to the creation of the reverse direction VS's.

This does not seem an elegant solution, but it does work.