Bug ID 504508: IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8

Fixed In:
12.0.0, 11.6.1, 11.5.4

Opened: Feb 03, 2015
Severity: 2-Critical
Related AskF5 Article:


When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.


IPsec tunnel goes down, traffic stops.


An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled


Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.

Fix Information

IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.

Behavior Change