Last Modified: Nov 07, 2022
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9
11.5.0, 11.4.1 HF4, 11.4.0 HF6
Opened: Aug 13, 2013 Severity: 1-Blocking Related Article:
Related Article: K14646
When the BIG-IP system and IPsec peer negotiate multiple security associations (SAs) for a single IPsec tunnel, the tunnel may experience intermittent traffic disruptions.
The IPsec tunnel may experience intermittent traffic disruptions. The IPsec peers initially establish the tunnel. However, traffic may intermittently fail to flow through the tunnel for several minutes. Tunnel traffic may resume after several minutes without user intervention.
In some cases, the IPsec peer negotiates multiple SAs for the same IPsec tunnel. Some third-party IPsec vendors delete redundant SAs and only keep one pair of working SAs. If the remote Internet Key Exchange (IKE) agent fails to send a DELETE payload to the BIG-IP system, the BIG-IP system ends up with a pair of expired or invalid SAs, and may attempt to use the invalid SAs if new SAs have not been negotiated.
Run the command 'tmsh delete net ipsec ipsec-sa' to remove invalid SAs. For more information, see SOL14646: Multiple security associations negotiated for a single IPsec tunnel may cause intermittent traffic disruptions.
During IPsec rekey between the BIG-IP system and Fortigate firewall, the interoperation issue no longer occurs.