Last Modified: Apr 21, 2026
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.1.3.1, 17.5.1.3, 17.5.1.4, 17.5.1.5, 21.0.0, 21.0.0.1
Opened: Mar 31, 2026 Severity: 4-Minor
- Discrepancy exists between BIG-IP Configuration Utility (GUI) and TMOS Shell (CLI) in how IPsec policy changes are handled - In the GUI, editing an existing IPsec policy and changing the authentication algorithm to any SHA variant (e.g., SHA-1 to SHA-256) causes the encryption algorithm to be reset to NULL
The GUI provides no warning that the encryption algorithm has been removed. This silent change causes unexpected IPsec tunnel failures in production.
- Create a IPsec policy with authentication algorithm from sha1/sha256/sha384/sha512 and encryption algorithm from aes-128/aes-192/aes-256 - Save the above policy - Edit the policy. While modifying authentication algorithm to other sha algorithms, the encryption algorithm gets updated to NULL.
None
None