Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3
Fixed In:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
Opened: Jan 06, 2022 Severity: 4-Minor
There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.
No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.
-- IKEv2 -- More than 30 traffic selectors required on one IPsec policy / ike-peer.
None
The behavior of sys db ipsec.maxtrafficselectors has changed. - Max traffic selectors associated with an ike-peer are increased from 30 to 100. - When the sys-db variable is non-zero, the limit is enforced. Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration. - ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.
The behavior of sys db ipsec.maxtrafficselectors has changed. - Max traffic selectors associated with an ike-peer are increased from 30 to 100. - When the sys-db variable is non-zero, the limit is enforced. - ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit. Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.