Last Modified: Jun 04, 2019
Opened: Oct 30, 2014
Racoon core and connections issue with IPsec between BIG-IP system and Azure client.
This issue has been seen only once. Some connection issues might occur as a result of the IPsec SA re-key attempt failures. A crash might occur because of logging issues when IKE logging level debug2 is enabled.
IKE logging level debug2 is enabled. BIG-IP system's phase2 algorithm is SHA1 and Azure phase2 algorithms are SHA2 and SHA1. in that order. This is a configuration issue. The BIG-IP system supports SHA1 for phase2 algorithm and Azure supports SHA2 and SHA1 algorithms. When the BIG-IP as the initiator sends SHA1 for phase2, Azure rejects that with the response NO-PROPOSAL-CHOSEN. This occurs because Azure checks the BIG-IP system's proposal with SHA2 only. When Azure as initiator sends SHA2 and SHA1 for phase2, the BIG-IP system selects SHA1 as responder, and the tunnel comes up.