Last Modified: Nov 07, 2022
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8
12.0.0, 11.6.1, 11.5.4
Opened: Feb 03, 2015 Severity: 2-Critical Related Article:
Related Article: K16773
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.
IPsec tunnel goes down, traffic stops.
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.