Last Modified: May 29, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.3, 16.1.2.2, 16.1.2.1, 16.1.2, 16.1.1, 16.1.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5.1, 15.1.5, 15.1.4.1
Fixed In:
17.0.0, 16.1.3.1, 15.1.9
Opened: Sep 21, 2021 Severity: 3-Major
IKEv1 tunnels fail to start or re-key after an upgrade. In the racoon.log file a clear sign of this issue is the combination of an IPsec SA being established and a buffer space error immediately after: INFO: IPsec-SA established: ESP/Tunnel 172.16.1.6[0]->172.16.12.6[0] spi=2956426629(0xb0377d85) ERROR: pfkey UPDATE failed: No buffer space available
IPsec tunnels will stop working after being up for an initial period of time.
-- IPsec IKEv1 tunnels
The only workaround is to switch to IKEv2.
Internal message handling related to IKEv2 high availability (HA) has changed, unintentionally breaking IKEv1's ability to keep tunnel states up-to-date. IKEv1 can now track tunnel state correctly. Note: IKEv1 high availability (HA) / mirroring is still not supported and there is no plan to support it.