I have an HA LTM in load balancing Cisco DMVPN connections to four hub routers 10.20.1.101, 2, 3, & 4. Problem is that it's load balancing the ISAKMP and ESP to different hub routers, as you can see from the connection table. What's the simplest way to get the ISAKMP/ESP from the public source address (left) to the same hub router (right)? I have a simple configuration with a vip, one pool with four members and no snat, let me know if you need to see more. THANKS!! [root@etc-rslb-dmvpn-1:Active:Changes Pending] config tmsh show sys connection | grep 172.16.1.10: 99.126.100.55:500 172.16.1.10:500 99.126.100.55:61936 10.20.1.104:500 udp 5 (tmm: 1) 99.108.26.170:500 172.16.1.10:500 99.108.26.170:500 10.20.1.101:500 udp 5 (tmm: 3) 99.126.100.55:4500 172.16.1.10:4500 99.126.100.55:35306 10.20.1.103:4500 udp 4 (tmm: 1) 99.108.26.170:4500 172.16.1.10:4500 99.108.26.170:50000 10.20.1.103:4500 udp 4 (tmm: 3) 108.86.114.132:4500 172.16.1.10:4500 108.86.114.132:23287 10.20.1.104:4500 udp 0 (tmm: 3)

Any persistence setup? If so what? If not, that would be a great start.

Yes, I was using soure address persistence, but instead of using the client source address the LTM was using the VIP address. I changed to destination address and connections all go to the same router, which is not what I want either.

OK. Can you go back to Source Address persistence (which should be based on the source IP as it arrives at the LTM) and also select the Match Across Services option so it'll take into account traffic received on different ports.

Hmmm. Well that really should work. Any NAT occuring, not that it should matter. Can you get another output from the connection table please and post it here properly formatted. I can't quite work out what's what from the first one you posted. Thanks

IPSEC Affinity Not Working

11 Replies

What_Lies_Bene1
Cirrostratus
Sep 20, 2013
Any persistence setup? If so what? If not, that would be a great start.
KernelPanic
Nimbostratus
Sep 20, 2013
Yes, I was using soure address persistence, but instead of using the client source address the LTM was using the VIP address. I changed to destination address and connections all go to the same router, which is not what I want either.
What_Lies_Bene1
Cirrostratus
Sep 20, 2013
OK. Can you go back to Source Address persistence (which should be based on the source IP as it arrives at the LTM) and also select the Match Across Services option so it'll take into account traffic received on different ports.
What_Lies_Bene1
Cirrostratus
Sep 20, 2013
Hmmm. Well that really should work. Any NAT occuring, not that it should matter.

Can you get another output from the connection table please and post it here properly formatted. I can't quite work out what's what from the first one you posted. Thanks
KernelPanic
Nimbostratus
Sep 20, 2013
Sure, There is NAT, but no SNAT. 172.16.1.10 is the VIP address. 10.20.1.103 is the pool member. I dont understand why it is basing persistence on the VIP address. I also removed persistence mirroring but I think that has more to do with HA.

Sorry about the messy post before, I'm not sure how to format this. I tried the backtic but it took all of the \n out. Here goes.. BTW thanks for your fast response!

Sys::Persistent Connections source-address 172.16.1.10:any 10.20.1.103:any 3 Total records returned: 1 config tmsh show sys connection | grep 172.16.1.10:99.126.100.55:500 172.16.1.10:500 99.126.100.55:16279 10.20.1.103:500 udp 9 (tmm: 1)99.108.26.170:500 172.16.1.10:500 99.108.26.170:39835 10.20.1.103:500 udp 5 (tmm: 3)99.126.100.55:4500 172.16.1.10:4500 99.126.100.55:4500 10.20.1.101:4500 udp 8 (tmm: 1)99.108.26.170:4500 172.16.1.10:4500 99.108.26.170:4500 10.20.1.101:4500 udp 5 (tmm: 3)99.88.254.242:500 172.16.1.10:500 99.88.254.242:79 10.20.1.103:500 udp 6 (tmm: 0)108.86.114.132:4500 172.16.1.10:4500 108.86.114.132:51339 10.20.1.103:4500 udp 0 (tmm: 3)99.88.254.242:4500 172.16.1.10:4500 99.88.254.242:4500 10.20.1.101:4500 udp 5

connectionSys::Connections10.20.0.9:37128 10.20.1.104:8 10.20.0.9:24195 10.20.1.104:8 icmp 1 (tmm: 0)10.20.0.9:45498 10.20.1.102:8 10.20.0.9:45498 10.20.1.102:8 icmp 5 (tmm: 2)10.20.0.9:65288 10.20.1.101:8 10.20.0.9:60298 10.20.1.101:8 icmp 10 (tmm: 0)10.20.0.9:47519 10.20.1.102:8 10.20.0.9:47519 10.20.1.102:8 icmp 0 (tmm: 3)10.20.0.9:24889 10.20.1.101:8 10.20.0.9:42103 10.20.1.101:8 icmp 7 (tmm: 1)10.20.0.9:38264 10.20.1.104:8 10.20.0.9:20805 10.20.1.104:8 icmp 3 (tmm: 0)99.126.100.55:500 172.16.1.10:500 99.126.100.55:16279 10.20.1.103:500 udp 16 (tmm: 1)10.20.0.9:29007 10.20.1.101:8 10.20.0.9:40193 10.20.1.101:8 icmp 2 (tmm: 3)10.20.0.9:60195 10.20.1.104:8 10.20.0.9:60195 10.20.1.104:8 icmp 11 (tmm: 3)99.108.26.170:500 172.16.1.10:500 99.108.26.170:39835 10.20.1.103:500 udp 12 (tmm: 3)10.20.0.9:7989 10.20.1.101:8 10.20.0.9:42872 10.20.1.101:8 icmp 1 (tmm: 1)99.126.100.55:4500 172.16.1.10:4500 99.126.100.55:4500 10.20.1.101:4500 udp 16 (tmm: 1)10.20.0.9:16245 10.20.1.103:8 10.20.0.9:56063 10.20.1.103:8 icmp 9 (tmm: 1)10.20.0.9:28045 10.20.1.104:8 10.20.0.9:14646 10.20.1.104:8 icmp 7 (tmm: 1)99.108.26.170:4500 172.16.1.10:4500 99.108.26.170:4500 10.20.1.101:4500 udp 13 (tmm: 3)10.20.0.9:14082 10.20.1.103:8 10.20.0.9:9736 10.20.1.103:8 icmp 14 (tmm: 2)10.20.0.9:46868 10.20.1.103:8 10.20.0.9:7838 10.20.1.103:8 icmp 4 (tmm: 0)10.20.0.9:13278 10.20.1.103:8 10.20.0.9:13278 10.20.1.103:8 icmp 10 (tmm: 2)10.20.0.9:50581 10.20.1.102:8 10.20.0.9:50581 10.20.1.102:8 icmp 9 (tmm: 1)99.88.254.242:500 172.16.1.10:500 99.88.254.242:79 10.20.1.103:500 udp 4 (tmm: 0)10.20.0.9:30984 10.20.1.103:8 10.20.0.9:11335 10.20.1.103:8 icmp 5 (tmm: 0)108.86.114.132:4500 172.16.1.10:4500 108.86.114.132:51339 10.20.1.103:4500 udp 0 (tmm: 3)10.20.0.9:33176 10.20.1.101:8 10.20.0.9:33176 10.20.1.101:8 icmp 6 (tmm: 0)10.20.0.9:39349 10.20.1.102:8 10.20.0.9:9783 10.20.1.102:8 icmp 4 (tmm: 1)99.88.254.242:4500 172.16.1.10:4500 99.88.254.242:4500 10.20.1.101:4500 udp 3 (tmm: 0)10.20.0.9:21928 10.20.1.104:8 10.20.0.9:21928 10.20.1.104:8 icmp 9 (tmm: 0)10.20.0.9:51093 10.20.1.102:8 10.20.0.9:1810 10.20.1.102:8 icmp 11 (tmm: 1)Total
What_Lies_Bene1
Cirrostratus
Sep 20, 2013
Still a bit hard to read I'm afraid. I normally use the button with a vertical bar of grey on it's left after selecting the relevant text but sometimes I do have to do it twice. What type of VS is this, a standard one? If so, I'd certainly suggest switching to Performance (layer 4).
KernelPanic
Nimbostratus
Sep 20, 2013
It's a 2000 platform, FastL4 is enabled. trying backtic this time

show sys version Sys::Version Main Package Product BIG-IP Version 11.2.1 Build 862.0 Edition Hotfix HF2 Date Wed Nov 21 13:47:12 PST 2012 Hotfix List ID402164 ID400381 ID396072 ID400789 ID404036 ID397435 ID405422 ID399661 ID362739 ID405254 ID397836 ID395272 ID400775 ID398974 ID397882 ID404433 ID404235 ID405415 ID403052 ID397981 ID404037

Sys::Version Main Package Product BIG-IP Version 11.2.1 Build 862.0 Edition Hotfix HF2 Date Wed Nov 21 13:47:12 PST 2012

Hotfix List ID402164 ID400381 ID396072 ID400789 ID404036 ID397435 ID405422 ID399661 ID362739 ID405254 ID397836 ID395272 ID400775 ID398974 ID397882 ID404433 ID404235 ID405415 ID403052 ID397981 ID404037 `

KernelPanic

Nimbostratus

Sep 20, 2013

 config  tmsh show sys connection | grep  172.16.1.10:
99.126.100.55:500  172.16.1.10:500  99.126.100.55:16279  10.20.1.103:500  udp  9  (tmm: 1)
99.108.26.170:500  172.16.1.10:500  99.108.26.170:39835  10.20.1.103:500  udp  5  (tmm: 3)
99.126.100.55:4500  172.16.1.10:4500  99.126.100.55:4500  10.20.1.101:4500  udp   8  (tmm: 1)
99.108.26.170:4500  172.16.1.10:4500  99.108.26.170:4500  10.20.1.101:4500  udp  5  (tmm: 3)
99.88.254.242:500  172.16.1.10:500  99.88.254.242:79  10.20.1.103:500  udp  6  (tmm: 0)
108.86.114.132:4500  172.16.1.10:4500  108.86.114.132:51339  10.20.1.103:4500  udp  0  (tmm: 3)
99.88.254.242:4500  172.16.1.10:4500  99.88.254.242:4500  10.20.1.101:4500  udp  5  (tmm: 0)
[root@etc-rslb-dmvpn-1:Active:Changes Pending] config  tmsh show sys connection
Sys::Connections
10.20.0.9:37128  10.20.1.104:8  10.20.0.9:24195  10.20.1.104:8  icmp  1  (tmm: 0)
10.20.0.9:45498  10.20.1.102:8  10.20.0.9:45498  10.20.1.102:8  icmp  5  (tmm: 2)
10.20.0.9:65288  10.20.1.101:8  10.20.0.9:60298  10.20.1.101:8  icmp  10  (tmm: 0)
10.20.0.9:47519  10.20.1.102:8  10.20.0.9:47519  10.20.1.102:8  icmp  0  (tmm: 3)
10.20.0.9:24889  10.20.1.101:8  10.20.0.9:42103  10.20.1.101:8  icmp  7  (tmm: 1)
10.20.0.9:38264  10.20.1.104:8  10.20.0.9:20805  10.20.1.104:8  icmp  3  (tmm: 0)
99.126.100.55:500  172.16.1.10:500  99.126.100.55:16279  10.20.1.103:500  udp  16  (tmm: 1)
10.20.0.9:29007  10.20.1.101:8  10.20.0.9:40193  10.20.1.101:8  icmp  2  (tmm: 3)
10.20.0.9:60195  10.20.1.104:8  10.20.0.9:60195  10.20.1.104:8  icmp  11  (tmm: 3)
99.108.26.170:500  172.16.1.10:500  99.108.26.170:39835  10.20.1.103:500  udp  12  (tmm: 3)
10.20.0.9:7989  10.20.1.101:8  10.20.0.9:42872  10.20.1.101:8  icmp  1  (tmm: 1)
99.126.100.55:4500  172.16.1.10:4500  99.126.100.55:4500  10.20.1.101:4500  udp   16  (tmm: 1)
10.20.0.9:16245     10.20.1.103:8     10.20.0.9:56063     10.20.1.103:8     icmp  9   (tmm: 1)
10.20.0.9:28045  10.20.1.104:8  10.20.0.9:14646  10.20.1.104:8  icmp  7  (tmm: 1)
99.108.26.170:4500  172.16.1.10:4500  99.108.26.170:4500  10.20.1.101:4500  udp  13  (tmm: 3)
10.20.0.9:14082  10.20.1.103:8  10.20.0.9:9736  10.20.1.103:8  icmp  14  (tmm: 2)
10.20.0.9:46868  10.20.1.103:8  10.20.0.9:7838  10.20.1.103:8  icmp  4  (tmm: 0)
10.20.0.9:13278  10.20.1.103:8  10.20.0.9:13278  10.20.1.103:8  icmp  10  (tmm: 2)
10.20.0.9:50581  10.20.1.102:8  10.20.0.9:50581  10.20.1.102:8  icmp  9  (tmm: 1)
99.88.254.242:500  172.16.1.10:500  99.88.254.242:79  10.20.1.103:500  udp  4  (tmm: 0)
10.20.0.9:30984  10.20.1.103:8  10.20.0.9:11335  10.20.1.103:8  icmp  5  (tmm: 0)
108.86.114.132:4500  172.16.1.10:4500  108.86.114.132:51339  10.20.1.103:4500  udp  0  (tmm: 3)
10.20.0.9:33176  10.20.1.101:8  10.20.0.9:33176  10.20.1.101:8  icmp  6  (tmm: 0)
10.20.0.9:39349  10.20.1.102:8  10.20.0.9:9783  10.20.1.102:8  icmp  4  (tmm: 1)
99.88.254.242:4500  172.16.1.10:4500  99.88.254.242:4500  10.20.1.101:4500  udp  3  (tmm: 0)
10.20.0.9:21928  10.20.1.104:8  10.20.0.9:21928  10.20.1.104:8  icmp  9  (tmm: 0)
10.20.0.9:51093  10.20.1.102:8  10.20.0.9:1810  10.20.1.102:8  icmp  11  (tmm: 1)
Total records returned: 27

What_Lies_Bene1
Cirrostratus
Sep 20, 2013
Thanks. Looks like a bug to me. I've done a search;

http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14061.html < doesn't seem to be this issue but it suggests there are issues with this version.

Not related to the issue but beware this one: http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14398.html.

Is upgrading an option?
KernelPanic
Nimbostratus
Sep 20, 2013
Yes, upgrading is an options,Is there a recommendation for a stable release?

Forum Discussion

IPSEC Affinity Not Working

11 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Passthrough IPSec with AFM

Bgp inside ipsec tunnel

BIG-IP to Azure Dynamic IPsec Tunneling