Bug ID 1134301: IPsec interface mode may stop sending packets over tunnel after configuration update

Last Modified: Mar 30, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 17.0.0,,

Fixed In:
17.1.0, 16.1.4, 15.1.9

Opened: Aug 07, 2022

Severity: 2-Critical


An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.


The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.


- IPsec tunnel with ipsec-policy in interface mode. - The sys db ipsec.if.checkpolicy is disabled (by default it is enabled). - Static routes pointing to the IPsec interface. - Tunnel configuration updated. Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.


There are two similar workaround options for when the issue is observed: Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again. Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.

Fix Information

Traffic can pass over the IPsec tunnel after a configuration update.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips