Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 16.1.0, 16.1.1
Fixed In:
17.0.0, 16.1.2
Opened: Jun 30, 2021 Severity: 2-Critical
IPsec traffic selector state can be viewed in the config utility or by tmsh with the "tmsh show net ipsec traffic-selector" command. On an high availability (HA) standby device, some selector states may be incorrect.
There is no functional impact. The issue is that a selector may incorrectly appear down in one or both directions.
-- High availability (HA) environment -- Standby reboots or in some way, such as a tmm restart, is forced to re-learn all the mirrored IPsec security associations (SAs).
When the tunnel re-keys on the high availability (HA) active device, the selector state shows the correct value.
IPsec traffic selectors show the correct state after the high availability (HA) standby device reboots.