Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1
Fixed In:
14.0.0, 13.1.1.2, 12.1.3.6
Opened: Aug 17, 2017 Severity: 4-Minor
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish. Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2. -- Try to create competing listeners.
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate. Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.