Bug ID 524753: IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6

Opened: May 22, 2015
Severity: 3-Major


IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BIG-IP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.


BIG-IP cannot accomplish certain services provided on the BIG-IP host, such as BGP over TCP.


Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.


A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP Example, ltm virtual http_host { destination ip-forward ip-protocol tcp mask profiles { fastl4_stateless { } } rules { local_node } source translate-address disabled translate-port disabled } ltm rule local_node { when CLIENT_ACCEPTED { node 80 } } is the self-IP of the IPsec tunnel interface.

Fix Information

BIG-IP can properly handle TCP/UDP connections to the BIG-IP over IPsec interface using its tunnel self-IP.

Behavior Change