Bug ID 1128169: TMM core when IPsec tunnel object is reconfigured

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5

Fixed In:
17.1.0, 16.1.4

Opened: Jul 21, 2022

Severity: 3-Major

Symptoms

TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured. For example, a command that changes the IP address of the object may lead to a core: # tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4

Impact

Traffic disrupted while tmm restarts.

Conditions

-- IPsec IKEv1 or IKEv2. -- Tunnel is in "interface" mode. -- Tunnel object is reconfigured while the tunnel is up.

Workaround

Ensure the tunnel is down before reconfiguring it. -- Set the IKE-Peer config state to disabled. -- Delete an established IKE SA and IPsec SA related to that peer. For example: # tmsh modify net ipsec ike-peer <Name> state disabled # tmsh delete net ipsec ike-sa peer-ip <IP> # tmsh delete net ipsec ipsec-sa dst-addr <IP> "Name" is the specific name given to the ike-peer config object. "IP" is the address configured to use for the remote peer. Then make the desired changes and enable the IKE-Peer. # tmsh modify net ipsec ike-peer <name> state enabled

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips