Bug ID 1048137: IPsec IKEv1 intermittent but consistent tunnel setup failures

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
16.1.3, 16.1.2.2, 16.1.2.1, 16.1.2, 16.1.1, 16.1.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5.1, 15.1.5, 15.1.4.1

Fixed In:
17.0.0, 16.1.3.1, 15.1.9

Opened: Sep 21, 2021

Severity: 3-Major

Symptoms

IKEv1 tunnels fail to start or re-key after an upgrade. In the racoon.log file a clear sign of this issue is the combination of an IPsec SA being established and a buffer space error immediately after: INFO: IPsec-SA established: ESP/Tunnel 172.16.1.6[0]->172.16.12.6[0] spi=2956426629(0xb0377d85) ERROR: pfkey UPDATE failed: No buffer space available

Impact

IPsec tunnels will stop working after being up for an initial period of time.

Conditions

-- IPsec IKEv1 tunnels

Workaround

The only workaround is to switch to IKEv2.

Fix Information

Internal message handling related to IKEv2 high availability (HA) has changed, unintentionally breaking IKEv1's ability to keep tunnel states up-to-date. IKEv1 can now track tunnel state correctly. Note: IKEv1 high availability (HA) / mirroring is still not supported and there is no plan to support it.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips