Last Modified: Oct 15, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3
Opened: May 14, 2025 Severity: 3-Major
Connections arriving at the BIG-IP over an IPsec tunnel may be unexpectedly closed when ipsec.if.checkpolicy is disabled and the Virtual Server uses SNAT.
Connections arriving via IPsec are unexpectedly and prematurely closed.
- BIG-IP with more than 1 TMM. - IPsec tunnel in Interface mode. - FastL4 Virtual Server with SNAT. - sys db ipsec.if.checkpolicy is disabled. - Traffic is initiated from behind the remote peer and uses auto lasthop to return traffic, ie there is no routing for the protected traffic back towards the client.
The sys db ipsec.if.checkpolicy is enabled by default. Do not disable ipsec.if.checkpolicy when SNAT is on the Virtual Server that handles traffic for an IPsec tunnel.
None