IPSec peristence on F5 LTM
Hi all !
I have one problem on VPN IPSec persistence for which I have no solution actually.
The architecture is like this :
Firewall(s) <=> LTM <=> Multiple Routers <=> Internet <=> Firewall(s)
All VPN IPSec are between our firewalls and customers firewalls. We have multiple ISPs to forward trafic using Pool of gateways (containing our routers weighted by Priority Group automatic activation).
So traffic is going through Forwarding VS like :
From inside
virtual FWD_INT_0.0.0.0-0 {
destination any:any
mask 0.0.0.0
profiles fastL4-NO_SYN {}
vlans external disable
}
From outside :
virtual FW_EXT_a.b.c.d_24 {
destination a.b.c.d:any
mask 255.255.255.0
profiles fastL4-NO_SYN {}
vlans internal disable
}
Fast L4 with no syn is like this :
profile fastL4 fastL4 {
reset on timeout enable
reassemble fragments disable
idle timeout 2000
tcp handshake timeout 5
tcp close timeout 5
mss override 0
pva acceleration full
tcp timestamp preserve
tcp wscale preserve
tcp generate isn disable
tcp strip sack disable
ip tos to client pass
ip tos to server pass
link qos to client pass
link qos to server pass
rtt from client disable
rtt from server disable
loose initiation disable
loose close disable
hardware syncookie disable
software syncookie disable
}
profile fastL4 fastL4-NO_SYN {
defaults from fastL4
loose initiation enable
loose close enable
}
When one of our router is down, or trafic is routed through other links due to Priority Group activation, we have persistence problems on the LTM on isakmp, ike, udp protocols. Killing the session using tmsh solved the problem, but this action is manual.
Is anything I can do to avoid persistence on VPN IPSec protocols ?
Thanks in advance for your help.
Fabien VINCENT