VPN issues over LTM

Question

Hello guys, i´m having an estranged behavior with a deployment over VPN´s. Right now I have a Cisco ASA _1on one side and on the other side anothe CISCO ASA_2 and in between is the LTM.
&nbsp;We are just passing traffic through the F5 between these two CISCO´s, the VPN is established but when passing traffic CISCO ASA_1 only see encrypted packets but no decrypted traffic.
&nbsp;Attached you will find the Diagram of the solution, the main issue happens with the RACSA ISP.&nbsp;&nbsp;
&nbsp;Here is an output of the VPN establishment:&nbsp;&nbsp;
17:09:07.175755 IP 190.14.195.19.isakmp &gt; 172.17.151.98.isakmp: isakmp: phase 2/others R inf[E]
17:09:08.669858 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x16), length 92
17:09:14.169428 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x17), length 92
17:09:17.082335 IP 172.17.151.98.isakmp &gt; 190.14.195.19.isakmp: isakmp: phase 2/others I inf[E]
17:09:17.176841 IP 190.14.195.19.isakmp &gt; 172.17.151.98.isakmp: isakmp: phase 2/others R inf[E]
17:09:19.671852 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x18), length 92
17:09:25.170147 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x19), length 92
17:09:27.083718 IP 172.17.151.98.isakmp &gt; 190.14.195.19.isakmp: isakmp: phase 2/others I inf[E]
17:09:27.177841 IP 190.14.195.19.isakmp &gt; 172.17.151.98.isakmp: isakmp: phase 2/others R inf[E]
17:09:30.670244 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x1a), length 92
17:09:36.170279 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x1b), length 92
17:09:37.085515 IP 172.17.151.98.isakmp &gt; 190.14.195.19.isakmp: isakmp: phase 2/others I inf[E]
17:09:37.179878 IP 190.14.195.19.isakmp &gt; 172.17.151.98.isakmp: isakmp: phase 2/others R inf[E]
17:09:41.671189 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x1c), length 92
17:09:47.086735 IP 172.17.151.98.isakmp &gt; 190.14.195.19.isakmp: isakmp: phase 2/others I inf[E]
17:09:47.170762 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x1d), length 92
17:09:47.180433 IP 190.14.195.19.isakmp &gt; 172.17.151.98.isakmp: isakmp: phase 2/others R inf[E]
17:09:52.670852 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x1e), length 92
17:09:57.088412 IP 172.17.151.98.isakmp &gt; 190.14.195.19.isakmp: isakmp: phase 2/others I inf[E]
17:09:57.184701 IP 190.14.195.19.isakmp &gt; 172.17.151.98.isakmp: isakmp: phase 2/others R inf[E]
17:09:58.172094 IP 190.14.195.19 &gt; 190.241.90.120: ESP(spi=0xf40c7478,seq=0x1f), length 92&nbsp;&nbsp;
&nbsp;Appreciate of someone has an idea of this behavior.&nbsp;
&nbsp;Thanks a lot&nbsp;

the_bhattman · Answer

Hi Luis. 
&nbsp;     I am assuming that your network looks loosely like the following 
&nbsp;  
&nbsp; Cisco ASA_1 VPN ---- LTM ---- INTERNET---- LTM ---- Cisco ASA_2 VPN  
&nbsp;  
&nbsp; if you are seeing encrypted packets at the VPN and have passed the Layer 1 and 2 phases then at this point it's passed the LTM.  The decryption happens at the VPN. 
&nbsp;  
&nbsp; Please clarify if my assumption is wrong. 
&nbsp;  
&nbsp;  
&nbsp; Bhattman &nbsp;

Forum Discussion

VPN issues over LTM

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

SSL VPN Split Tunneling and Office 365

SSL VPN Disconnect Issue

Crafting Secure Paths: The Intricacies of VPN Solutions on BIG-IP APM

Regex issue

Deploying a VPN on the BIG-IP APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS