Bug ID 1019357: Active fails to resend ipsec ikev2_message_id_sync if no response received

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6, 16.1.0, 16.1.1, 16.1.2,

Fixed In:

Opened: May 18, 2021
Severity: 3-Major


In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device. If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow. After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.


Traffic loss.


-- High availability (HA) environment -- IKE tunnels configured -- A failover occurs



Fix Information

Fetch latest connection flow during retransmission of IKE/IPSEC packet.

Behavior Change