Bug ID 1134301: IPsec interface mode may stop sending packets over tunnel after configuration update

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,, 17.0.0,,

Opened: Aug 07, 2022
Severity: 2-Critical


An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.


The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.


- IPsec tunnel with ipsec-policy in interface mode. - Static routes pointing to the IPsec interface. - Tunnel configuration updated. Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.


There are two similar workaround options for when the issue is observed: Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again. Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.

Fix Information


Behavior Change