Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8
Fixed In:
12.0.0, 11.6.1, 11.5.4
Opened: Feb 03, 2015 Severity: 2-Critical Related Article:
K16773
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.
IPsec tunnel goes down, traffic stops.
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.