Bug ID 1134301: IPsec interface mode may stop sending packets over tunnel after configuration update

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.0, 16.1.4, 15.1.9

Opened: Aug 07, 2022

Severity: 2-Critical

Symptoms

An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.

Impact

The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.

Conditions

- IPsec tunnel with ipsec-policy in interface mode. - The sys db ipsec.if.checkpolicy is disabled (by default it is enabled). - Static routes pointing to the IPsec interface. - Tunnel configuration updated. Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.

Workaround

There are two similar workaround options for when the issue is observed: Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again. Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.

Fix Information

Traffic can pass over the IPsec tunnel after a configuration update.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips