NimbostratusConnection not getting ACK in 3way handshake in IPSec
Hi,
We have a minor IPsec problem and I can't seem to wrap my head around it. There a number IPSecs on our F5 and most of them have public IP addresses assigned to them and public peers as well.
But this one is using private IP addresses and is going through an MPLS VPN cloud. So something like this:
Remote FW <-> Cisco ASR where the other end of the IPSEC is terminated <-> PE router of the MPLS <-> MPLS <-> Another PE <-> Our F5 LTM/AFM device
On our end, we have a VLAN configured which floating IP is the one terminating the IPsec. Also, this VLAN is a transit VLAN, an incoming/outgoing interface from/to the MPLS cloud.
The traffic from our end goes like this: 10.78.69.140 -> 10.30.0.74:443
The 10.78.69.x subnet is assigned to a forwarding virtual server that can send traffic anywhere, including the IPsec tunnel.
So the problem is that the packet goes out but during the 3way handshake we can not see the ACK in the inside VLAN but we can see it in the incoming VLAN.
tcpdump from the inside vlan that goes out on the outgoing forwarder: 15:56:24.329348 IP (tos 0x0, ttl 64, id 5505, offset 0, flags [DF], proto TCP (6), length 52) 10.78.69.140.25270 > 10.30.0.74.https: Flags [S], cksum 0xb05f (correct), seq 2546182054, win 26400, options [mss 1320,nop,nop,sackOK,nop,wscale 7], length 0 in slot1/tmm5 lis=/PART_XY/FWVS_XY-OUTSIDE
incoming:
15:56:24.333293 IP (tos 0x0, ttl 125, id 28012, offset 0, flags [DF], proto TCP (6), length 52) 10.30.0.74.https > 10.78.69.140.25270: Flags [S.], cksum 0xa0b4 (correct), seq 3594223601, ack 2546182055, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 in slot1/tmm5 lis=
So it seems that the for some reason the ACK can't be seen in the VLAN where the traffic was originated from.
We've never had this kind of issue with the rest of the IPSec, even if the only difference is the IP address..
I'd appriciate if you could help me.
Best regards