Bug ID 1071621: Increase the number of supported traffic selectors

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3

Fixed In:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1

Opened: Jan 06, 2022

Severity: 4-Minor

Symptoms

There is an imposed limit of 30 traffic selectors that can be attached to an IPsec policy / IKEv2 ike-peer.

Impact

No more than 30 traffic selectors can be added to a single IPsec policy / ike-peer.

Conditions

-- IKEv2 -- More than 30 traffic selectors required on one IPsec policy / ike-peer.

Workaround

None

Fix Information

The behavior of sys db ipsec.maxtrafficselectors has changed. - Max traffic selectors associated with an ike-peer are increased from 30 to 100. - When the sys-db variable is non-zero, the limit is enforced. Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration. - ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit.

Behavior Change

The behavior of sys db ipsec.maxtrafficselectors has changed. - Max traffic selectors associated with an ike-peer are increased from 30 to 100. - When the sys-db variable is non-zero, the limit is enforced. - ipsec.maxtrafficselectors can be set to "0" to indicate there is no limit. Warning: Adding hundreds or thousands of traffic-selectors to an ipsec-policy may result in slow config-load times (for example, during startup). An excessive number of traffic selectors may also slow down IPsec tunnel negotiation. The impact will depend on the BIG-IP system's provisioning and the overall configuration.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips