IPSec protocol 50 unreachable

Question

IPSec protocol 50 unreachable&nbsp;
anyone see this before?&nbsp;
13:18:12.263595 IP 166.130.153.10.500 &gt; 134.186.111.134.500: isakmp: phase 1 I ident
13:18:13.492500 IP 166.130.152.195 &gt; 134.186.111.134: ESP(spi=0xdaae26d3,seq=0xe5), length 100
13:18:13.493080 IP 134.186.111.131 &gt; 166.130.152.195: ICMP 134.186.111.131 protocol 50 unreachable, length 128&nbsp;

victor_oshiots1 · Answer

Hi, &nbsp;
Please were you able to resolve this. &nbsp;
Thanks&nbsp;

rob_stonham · Answer

Hi,
You don't say which end is which so I'm assuming that 134.186.11.134 is your local end and 166.130.152.195 is the remote end.
This looks like the remote end is blocking ESP traffic.  Myself and Victor recently come across a similar issue, but it was our local F5 BIG-IP that was generating the ICMP protocol 50 unreachable response.
I found that in our case the BIG-IP had wrong setting:
 tmsh list sys db ipsec.lookupspi
sys db ipsec.lookupspi {
    value "disable"
}

As in our case the BIG-IP was the IPSEC endpoint we needed to change the setting to:
 tmsh list sys db ipsec.lookupspi
sys db ipsec.lookupspi {
    value "enable"
}

using the command:
 tmsh modify sys db ipsec.lookupspi value enable
 tmsh save sys config

The KB article SOL14169 shows that the setting may need disabling if the BIG-IP is NOT terminating the IPSEC traffic, but this implies that if the BIG-IP IS terminating IPSEC traffic the setting needs to be enabled.

Forum Discussion

IPSec protocol 50 unreachable

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

SSL protocol mismatch

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

BIG-IP BGP Routing Protocol Configuration And Use Cases

Proxy Protocol Initiator