Bug ID 1128169: TMM core when IPsec tunnel object is reconfigured

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:,,,,

Fixed In:
17.1.0, 16.1.4

Opened: Jul 21, 2022

Severity: 3-Major


TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured. For example, a command that changes the IP address of the object may lead to a core: # tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address


Traffic disrupted while tmm restarts.


-- IPsec IKEv1 or IKEv2. -- Tunnel is in "interface" mode. -- Tunnel object is reconfigured while the tunnel is up.


Ensure the tunnel is down before reconfiguring it. -- Set the IKE-Peer config state to disabled. -- Delete an established IKE SA and IPsec SA related to that peer. For example: # tmsh modify net ipsec ike-peer <Name> state disabled # tmsh delete net ipsec ike-sa peer-ip <IP> # tmsh delete net ipsec ipsec-sa dst-addr <IP> "Name" is the specific name given to the ike-peer config object. "IP" is the address configured to use for the remote peer. Then make the desired changes and enable the IKE-Peer. # tmsh modify net ipsec ike-peer <name> state enabled

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips