Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP TMOS
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1
Fixed In:
17.0.0, 16.1.2.2, 15.1.6.1
Opened: May 18, 2021
Severity: 3-Major
In high availability (HA) setup, after failover, the newly active BIG-IP device, will send ikev2_message_id_sync messages to the other device. If the BIG-IP device did not receive a response, it has to retransmit the packet. Some of the IKE tunnels are trying to retransmitting the packet, but its not going out of BIG-IP due to wrong state of relation between IKE tunnel and connection flow. After 5 retries, it marks the peer as down, and the IKE tunnel is deleted.
Traffic loss.
-- High availability (HA) environment -- IKE tunnels configured -- A failover occurs
None
Fetch latest connection flow during retransmission of IKE/IPSEC packet.
