Bug ID 487798: Racoon core and connections issue with IPsec between BIG-IP system and Azure client.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.4.1

Opened: Oct 30, 2014
Severity: 3-Major

Symptoms

Racoon core and connections issue with IPsec between BIG-IP system and Azure client.

Impact

This issue has been seen only once. Some connection issues might occur as a result of the IPsec SA re-key attempt failures. A crash might occur because of logging issues when IKE logging level debug2 is enabled.

Conditions

IKE logging level debug2 is enabled. BIG-IP system's phase2 algorithm is SHA1 and Azure phase2 algorithms are SHA2 and SHA1. in that order. This is a configuration issue. The BIG-IP system supports SHA1 for phase2 algorithm and Azure supports SHA2 and SHA1 algorithms. When the BIG-IP as the initiator sends SHA1 for phase2, Azure rejects that with the response NO-PROPOSAL-CHOSEN. This occurs because Azure checks the BIG-IP system's proposal with SHA2 only. When Azure as initiator sends SHA2 and SHA1 for phase2, the BIG-IP system selects SHA1 as responder, and the tunnel comes up.

Workaround

None.

Fix Information

None

Behavior Change