Last Modified: Dec 07, 2023
Known Affected Versions:
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
Opened: Jul 21, 2022 Severity: 3-Major
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured. For example, a command that changes the IP address of the object may lead to a core: # tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 188.8.131.52
Traffic disrupted while tmm restarts.
-- IPsec IKEv1 or IKEv2. -- Tunnel is in "interface" mode. -- Tunnel object is reconfigured while the tunnel is up.
Ensure the tunnel is down before reconfiguring it. -- Set the IKE-Peer config state to disabled. -- Delete an established IKE SA and IPsec SA related to that peer. For example: # tmsh modify net ipsec ike-peer <Name> state disabled # tmsh delete net ipsec ike-sa peer-ip <IP> # tmsh delete net ipsec ipsec-sa dst-addr <IP> "Name" is the specific name given to the ike-peer config object. "IP" is the address configured to use for the remote peer. Then make the desired changes and enable the IKE-Peer. # tmsh modify net ipsec ike-peer <name> state enabled