Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP All
Known Affected Versions:
11.4.1
Opened: Oct 30, 2014 Severity: 3-Major
Racoon core and connections issue with IPsec between BIG-IP system and Azure client.
This issue has been seen only once. Some connection issues might occur as a result of the IPsec SA re-key attempt failures. A crash might occur because of logging issues when IKE logging level debug2 is enabled.
IKE logging level debug2 is enabled. BIG-IP system's phase2 algorithm is SHA1 and Azure phase2 algorithms are SHA2 and SHA1. in that order. This is a configuration issue. The BIG-IP system supports SHA1 for phase2 algorithm and Azure supports SHA2 and SHA1 algorithms. When the BIG-IP as the initiator sends SHA1 for phase2, Azure rejects that with the response NO-PROPOSAL-CHOSEN. This occurs because Azure checks the BIG-IP system's proposal with SHA2 only. When Azure as initiator sends SHA2 and SHA1 for phase2, the BIG-IP system selects SHA1 as responder, and the tunnel comes up.
None.
None