Bug ID 1126561: Connections over IPsec fail when hardware acceleration in fastl4 is enabled

Last Modified: Dec 28, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1

Opened: Jul 14, 2022

Severity: 3-Major

Symptoms

Connection setup fails through IPsec tunnel.

Impact

Connections through the IPsec tunnel do not work.

Conditions

- rSeries and VELOS platform. - PVA acceleration is enabled in the fastL4 profile of the IPsec virtual on the responder BIG-IP.

Workaround

Disable PVA acceleration in the relevant fastL4 profile. PVA acceleration cannot be performed on flows going into or coming out of IPsec. This workaround returns the functionality as it was designed. F5 recommends creating Virtual Servers to specifically catch flows that go over IPsec tunnels. If a generic Virtual Server uses a fastL4 profile with acceleration disabled, then non-IPsec flows that could be accelerated will not be.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips