Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10
Fixed In:
11.6.0
Opened: Jan 16, 2014 Severity: 3-Major Related Article:
K15214
In some cases, ICMP unreachable messages generated by the BIG-IP system through IPsec tunnels might be looping between tmm processes. TMM using 100% cpu in 2 cores
When this occurs, TMM uses 100% of the CPU.
This occurs when multiple IPsec Tunnels are configured and up. On the terminating IPsec endpoint, if traffic coming out of the tunnel is unreachable from the BIG-IP system, the generated ICMP unreachable messages can occasionally go through the wrong tunnel, and in some cases the ICMP packet can loop between tmm processes.
To work around this, delete IPsec tunnel using the command 'tmsh delete net ipsec ipsec-sa' can get the system out of the state. However, doing so also brings down the tunnels. In addition, the system might return to this state if the ICMP unreachable messages are constantly generated by the BIG-IP system .
The ICMP messages generated by the BIG-IP system will not loop between tmm processes through IPsec Tunnels.