Last Modified: May 29, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1
Fixed In:
17.0.0, 16.1.2.2
Opened: Jan 19, 2022 Severity: 3-Major
When disabling an ike-peer, sometimes the traffic-selector is not marked "down" in one or both directions.
Cosmetic. The traffic selector is incorrectly reported as up for one or both directions.
All the following must be true -- IKEv2 IPsec tunnel -- A nonzero value for ipsec.pfkey.load, ipsec.sp.migrate and ipsec.sp.owner is set. -- During the life of the SA the tunnel was migrated to another tmm owner. The final point is not normally visible unless debug2 logging is enabled on ike-daemon.
The selector state cannot be changed unless it goes up/down again. There is no way to manually fix it.
Disabling an ike-peer config object will correctly mark the associated traffic-selector down.