Last Modified: Aug 23, 2023
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 22.214.171.124, 126.96.36.199, 16.1.3, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 17.0.0, 126.96.36.199, 188.8.131.52
Opened: Oct 17, 2022 Severity: 2-Critical
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.
-- IKEv2 IPsec tunnels -- Tunnels use Route Domains. -- An IPsec SA is deleted.
IPsec SAs are now deleted after the related IKE SA is deleted.