Bug ID 524753: IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6

Opened: May 22, 2015
Severity: 3-Major

Symptoms

IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BIG-IP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.

Impact

BIG-IP cannot accomplish certain services provided on the BIG-IP host, such as BGP over TCP.

Conditions

Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.

Workaround

A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP 127.0.0.1. Example, ltm virtual http_host { destination 10.99.0.11:80 ip-forward ip-protocol tcp mask 255.255.255.255 profiles { fastl4_stateless { } } rules { local_node } source 0.0.0.0/0 translate-address disabled translate-port disabled } ltm rule local_node { when CLIENT_ACCEPTED { node 127.0.0.1 80 } } 10.99.0.11 is the self-IP of the IPsec tunnel interface.

Fix Information

BIG-IP can properly handle TCP/UDP connections to the BIG-IP over IPsec interface using its tunnel self-IP.

Behavior Change