General Config & Troubleshooting

This page describes general configuration aspects to consider when troubleshooting.

The majority of IPsec problems stem from a configuration mistake.

Check ESP

Read the ESP Protocol page and verify whether ESP packets are passing between the two peers. Capture the packets to verify if necessary.

Self IP

The ipsec-policy tunnel-local-address must exist as a self IP. For HA, a floating self IP is preferrable. It is possible to bring up a tunnel without a self IP that for the tunnel-local-address, but the BIG-IP will send ICMP protocol unreachables for ESP after that.

Routing

A route to the remote private network must exist. For example via the local next-hop ISP gateway. A default route is okay.

If there is no default route then a route to the remote peer’s public address and a route to the remote private network is required. The route to the remote private network can point anywhere because IPsec will catch the packet before a final routing decision.

Interface mode tunnels require a route for the remote private network via the IPsec interface *not a gateway IP.

Virtual Server

What Virtual Server has been configured to handle the private traffic?

Interface and Tunnel Mode Overlap

Ensure that tunnel mode and interface mode tunnels have not been accidentally configured for the same remote peer. Look for a ‘net tunnel’ config that overlaps or uses the same IPs as a ‘net ipsec ipsec-policy’.

Selector Overlapping

Ensure that whereever possible, traffic selectors are not duplicated and don’t overlap.

Duplicated wildcard (0.0.0.0/0) selectors are valid for IPsec interface mode only.

Connection Flow

Verify whether the private network traffic has entries in the connection table.

# show sys conn cs-client-addr  10.2.1.0/24
Sys::Connections
10.2.1.1:38800  10.1.1.1:22  10.2.1.1:38800  10.1.1.1:22  tcp  90  (tmm: 2)  none  none
Total records returned: 1

Delete ISAKMP and IPsec SAs

Deleting SAs can clear an inconsistent view of tunnel states between two peers. Sometimes a peer may be using an IPsec SA that is dead on the other peer.

Refer to the ISAKMP and IPsec instructions.

Restart tmipsecd or Reboot

Restarting tmipsecd should be an option of last resort. It can occassionally fix a bad config state internally, especially if a tunnel has been converted from one mode to another. Expect the command to cause all tunnels to go down.

# bigstart restart tmipsecd

Restarting tmm instead of tmipsecd is a final option, this is service impacting akin to a reboot, so a reboot would be a simpler option.

Top | Flowchart | Contents