Bug ID 1181613: IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 17.0.0,,

Fixed In:
17.1.0, 16.1.4

Opened: Oct 17, 2022

Severity: 2-Critical


After the deletion of an IKE SA, the child IPsec SAs will not be deleted.


The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.


-- IKEv2 IPsec tunnels -- Tunnels use Route Domains. -- An IPsec SA is deleted.



Fix Information

IPsec SAs are now deleted after the related IKE SA is deleted.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips