Bug ID 1029949: IPsec traffic selector state may show incorrect state on high availability (HA) standby device

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 16.1.0, 16.1.1

Fixed In:
17.0.0, 16.1.2

Opened: Jun 30, 2021

Severity: 2-Critical

Symptoms

IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.

Impact

There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.

Conditions

-- High availability (HA) environment -- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).

Workaround

When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.

Fix Information

IPsec traffic selectors show the correct state after the high availability (HA) standby device reboots.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips