Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Fixed In:
17.0.0, 16.1.2.2, 15.1.6.1
Opened: May 18, 2021 Severity: 3-Major
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device. If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow. After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.
Traffic loss.
-- High availability (HA) environment -- IKE tunnels configured -- A failover occurs
None
Fetch latest connection flow during retransmission of IKE/IPSEC packet.