Last Modified: Dec 18, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6
Opened: May 11, 2023 Severity: 4-Minor
IPsec IKEv2 tunnel was working initially, but will suddenly not respond to ISAKMP negotiation. A packet capture will show the BIG-IP refusing inbound ISAKMP. Example: 02:26:14.327847 IP 172.16.5.1.500 > 172.16.6.1.500: isakmp: parent_sa ikev2_init[I] 02:26:14.328678 IP 172.16.6.1 > 172.16.5.1: ICMP 172.16.6.1 udp port 500 unreachable
Remote networks are not available while the tunnel is down.
-- IPsec IKEv2 tunnel in use. -- The BIG-IP is the Responder to a tunnel negotiation. -- The tunnel expires (ages out) naturally and does not renegotiate due no interesting traffic. -- The tunnel is required again due to new traffic, but now cannot start.
Mitigate by setting high ike-peer lifetimes so that the tunnel does not naturally go down due to lack of traffic: #tmsh modify net ipsec ike-peer <name> lifetime 1440 To recover the tunnel when it is in the hard-down state:, disable the problematic ike-peer and enable it again: # tmsh modify net ipsec ike-peer <name> state disabled # tmsh modify net ipsec ike-peer <name> state enabled If the above method does not work, it is likely that the encountered problem is not related to the issue described here. However, the service-impacting approach of restarting tmm would also recover this problem state, as the last option.
None