Bug ID 504508: IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.6.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.1, 11.5.4

Opened: Feb 03, 2015

Severity: 2-Critical

Related Article: K16773

Symptoms

When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.

Impact

IPsec tunnel goes down, traffic stops.

Conditions

An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled

Workaround

Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.

Fix Information

IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips