Bug ID 1178221: In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.0, 16.1.4, 15.1.9

Opened: Oct 17, 2022

Severity: 2-Critical

Symptoms

When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".

Impact

Wrong information logged. DPD response packet corruption.

Conditions

Tunnel is established between Initiatior and Responder. Responder is able to send DPD request. but not able to receive response.

Workaround

None

Fix Information

Logs will display correct message. Packet will not corrupt.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips