Last Modified: Jan 20, 2023
See more info
Known Affected Versions:
15.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 15.1.1, 15.1.2, 220.127.116.11, 15.1.3, 18.104.22.168, 15.1.4, 22.214.171.124, 15.1.5, 126.96.36.199, 15.1.6, 188.8.131.52, 15.1.7, 15.1.8, 184.108.40.206, 16.0.0, 220.127.116.11, 16.0.1, 18.104.22.168, 22.214.171.124, 16.1.0, 16.1.1, 16.1.2, 126.96.36.199, 188.8.131.52, 16.1.3, 184.108.40.206, 220.127.116.11, 18.104.22.168, 17.0.0, 22.214.171.124, 126.96.36.199
Opened: Aug 07, 2022
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.
- IPsec tunnel with ipsec-policy in interface mode. - Static routes pointing to the IPsec interface. - Tunnel configuration updated. Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.
There are two similar workaround options for when the issue is observed: Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again. Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.