Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.6.2 HF1, 11.3.0, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
11.5.3 HF2, 11.5.1 HF5, 11.4.1 HF9
Opened: Mar 07, 2014 Severity: 3-Major
The DPD (Dead Peer Detection) packets are dropped after the IPsec tunnel is up. This occurs because the BIG-IP system drops DPD packets because keyed VLAN connections are enabled. The system tries to match the VLAN ID along with other parameters for DPD packets.
The tunnel does not stay up because of the DPD failure. The match should be done for the host interface instead of the actual VLAN interface.
Enable keyed VLAN connections and bring up IPsec tunnel.
None.
Changed the interface match to look up host interface instead of VLAN interface.