Bug ID 1073965: IPsec IKEv2 tunnel may report huge "life" for IKE SA.

Last Modified: Oct 04, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.0.0, 17.0.0.1, 17.0.0.2

Opened: Jan 19, 2022

Severity: 4-Minor

Symptoms

The output of "tmsh show net ipsec ike-sa" will report an impossibly high life value. tmsh show net ipsec ike-sa | grep Life Life/Active Time: 18446744073709551028/6 seconds Decrypting the IKE AUTH payload will show something similar to this: Decrypted Data (160 bytes) Contained Data (156 bytes) Payload: Identification - Responder (36) Payload: Authentication (39) Payload: Security Association (33) Payload: Traffic Selector - Initiator (44) # 1 Payload: Traffic Selector - Responder (45) # 1 Payload: Notify (41) - AUTH_LIFETIME Next payload: NONE / No Next Payload (0) 0... .... = Critical Bit: Not Critical .000 0000 = Reserved: 0x00 Payload length: 12 Protocol ID: RESERVED (0) SPI Size: 0 Notify Message Type: AUTH_LIFETIME (16403) Notification DATA: fffffdb4 Authentication Lifetime: 4294966708 seconds (1193046 hour(s) 18 minute(s) 28 second(s)) Padding (3 bytes) Pad Length: 3

Impact

In general this is not a problem unless the DPD/liveness is disabled and the remote peer silently goes away. Under perfect conditions, the remote peer would send a delete for the IKE SA to the BIG-IP and cause the BIG-IP (as initiator) to start a new IKE SA as required.

Conditions

-- IKEv2 -- BIG-IP is initiator -- Responder sends very high value (close to maximum possible in 4 byte payload) for Authentication Lifetime in IKE AUTH phase.

Workaround

Ensure the remote peer sends a more reasonable value such as 1 day for the IKE AUTH lifetime. Strongswan devices have been observed to send a very high value when configured with an unreasonably low "ikelifetime" (in the order of a few minutes).

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips