Bug ID 1144477: IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.0, 16.1.4

Opened: Aug 30, 2022

Severity: 2-Critical

Symptoms

The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.

Impact

Interoperability issue, tunnel will not get established with other devices.

Conditions

This issue is observed after deleting IKE SA from tmsh.

Workaround

None

Fix Information

Default configuration was overwritten after tunnel establishment, added valid conditions before overwriting the configuration.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips