Bug ID 897509: IPsec SAs are missing on HA standby, leading to packet drops after failover

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0, 15.1.4.1

Opened: Apr 09, 2020

Severity: 2-Critical

Symptoms

IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.

Impact

During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.

Conditions

-- HA mirroring is configured -- IKEv2 tunnels are started

Workaround

None

Fix Information

IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is supported only when IKEv2 tunnels are in use.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips