Bug ID 427791: Multiple SAs created for a single tunnel might cause issue during rekey

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10

Fixed In:
11.5.0, 11.4.1 HF4, 11.4.0 HF6

Opened: Aug 13, 2013

Severity: 1-Blocking

Related Article: K14646

Symptoms

When the BIG-IP system and IPsec peer negotiate multiple security associations (SAs) for a single IPsec tunnel, the tunnel may experience intermittent traffic disruptions.

Impact

The IPsec tunnel may experience intermittent traffic disruptions. The IPsec peers initially establish the tunnel. However, traffic may intermittently fail to flow through the tunnel for several minutes. Tunnel traffic may resume after several minutes without user intervention.

Conditions

In some cases, the IPsec peer negotiates multiple SAs for the same IPsec tunnel. Some third-party IPsec vendors delete redundant SAs and only keep one pair of working SAs. If the remote Internet Key Exchange (IKE) agent fails to send a DELETE payload to the BIG-IP system, the BIG-IP system ends up with a pair of expired or invalid SAs, and may attempt to use the invalid SAs if new SAs have not been negotiated.

Workaround

Run the command 'tmsh delete net ipsec ipsec-sa' to remove invalid SAs. For more information, see SOL14646: Multiple security associations negotiated for a single IPsec tunnel may cause intermittent traffic disruptions.

Fix Information

During IPsec rekey between the BIG-IP system and Fortigate firewall, the interoperation issue no longer occurs.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips