Bug ID 755716: IPsec connection can fail if connflow expiration happens before IKE encryption

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0, 14.1.2.8

Opened: Jan 16, 2019

Severity: 2-Critical

Symptoms

IKEv2 negotiation fails, and tmm log shows the following error: notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context

Impact

IKE Negotiation fails, so an SA cannot be established.

Conditions

Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Workaround

None.

Fix Information

Missing connection context is now replaced, so IKE negotiation can continue.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips