Forum Discussion

Narendren_S's avatar
Narendren_S
Icon for Nimbostratus rankNimbostratus
Feb 07, 2017

F5 LTM and Juniper VPN Gateway

It's regarding Juniper VPN GW loadbalancing issue.

 

In this deployment, 4 VPN Gateways - PSA1, PSA2, PSA3, PSA4 are configured under LTM on ports 443 and UDP 4500.

 

Similarly, LTM virtual servers on port tcp 443 (layer-7) and UDP 4500(layer-4).

 

Also, source address persistence enabled across services 443 and 4500, so as to ensure client connections served by same PSA on 443 and 4500.

 

All profile Timeout(https/udp) and persistence has been set as 2 hrs as per requirement.

 

Usually, client connections will start with 443 and after 15 secs of negotiation and session establishment, further client will continue to use the service on udp 4500. It is the expected behaviour.

 

This solution was working fine with Cisco ACE and Juniper VPN setup.

 

While migrating it to F5 LTM and Juniper VPN setup, it is observed that sometimes, vpn sessions are not shifted to udp4500 and it continue to use 443.

 

What might be the cause for this kind of issue and how it can be troubleshoot further.

 

I searched for deployment guide for F5 LTM - Juniper VPN Gateway integration. But I don't find any.

 

application delivery
LTM

3 Replies

Sort By
  • Daniel_Varela's avatar
    Daniel_Varela
    Icon for Employee rankEmployee
    Feb 07, 2017

    If you don't need to inspect/manage HTTP traffic in your vs on port 443 I'd try to change it to a L4 type virtual server. The only thing that come to my mind that might be causing problems is the deferred accept of standard virtual servers. This maybe is not the problem but it is a simple test. Hope this help!

     

  • Narendren_S's avatar
    Narendren_S
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2017

    Hi Daniel, Thanks for your suggestion. Tried layer-4 policies for both 443 and 4500. Problem remains same. After 15 secs of session start time in 443, it should shift to 4500. Sometimes, it is not happening. Though F5 is not responsible for this auto change of port from 443 to 4500, which are independent virtual servers, other stake holders analysed their part and confirm services are working as expected while bypassing F5 or by using Cisco ACE.

     

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Feb 08, 2017

    Try to use fiddler, httpwatch, or something similar, to capture the behavior when going directly and when going via F5. Look for differences.

     

    Also, get a tcpdump and ssldump in the F5 unit. Check what happens, or should happen, when switching to UDP 4500.

     

    Check is not cause by SNAT for example.

     

    Here are some useful solutions:

     

    https://support.f5.com/csp/article/K7820

     

    https://support.f5.com/csp/article/K411

     

    https://support.f5.com/csp/article/K7820