Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5
Fixed In:
17.1.0, 16.1.4
Opened: Jul 21, 2022 Severity: 3-Major
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured. For example, a command that changes the IP address of the object may lead to a core: # tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4
Traffic disrupted while tmm restarts.
-- IPsec IKEv1 or IKEv2. -- Tunnel is in "interface" mode. -- Tunnel object is reconfigured while the tunnel is up.
Ensure the tunnel is down before reconfiguring it. -- Set the IKE-Peer config state to disabled. -- Delete an established IKE SA and IPsec SA related to that peer. For example: # tmsh modify net ipsec ike-peer <Name> state disabled # tmsh delete net ipsec ike-sa peer-ip <IP> # tmsh delete net ipsec ipsec-sa dst-addr <IP> "Name" is the specific name given to the ike-peer config object. "IP" is the address configured to use for the remote peer. Then make the desired changes and enable the IKE-Peer. # tmsh modify net ipsec ike-peer <name> state enabled
None