Bug ID 1074113: IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer

Last Modified: May 03, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 17.0.0

Fixed In:
16.1.2.2

Opened: Jan 19, 2022
Severity: 3-Major

Symptoms

When disabling an ike-peer, sometimes the traffic-selector is not marked "down" in one or both directions.

Impact

Cosmetic. The traffic selector is incorrectly reported as up for one or both directions.

Conditions

All the following must be true -- IKEv2 IPsec tunnel -- A nonzero value for ipsec.pfkey.load, ipsec.sp.migrate and ipsec.sp.owner is set. -- During the life of the SA the tunnel was migrated to another tmm owner. The final point is not normally visible unless debug2 logging is enabled on ike-daemon.

Workaround

The selector state cannot be changed unless it goes up/down again. There is no way to manually fix it.

Fix Information

Disabling an ike-peer config object will correctly mark the associated traffic-selector down.

Behavior Change