Last Modified: Jan 16, 2019
See more info
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Opened: Jan 16, 2016
IPsec does not remove IKE-SA on change traffic selector. As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.
This might result in significant delays in communication.
Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.
Delete SA manually. Note: This workaround might not be possible.
IPsec now removes IKE-SA on change traffic selector, so SA status now matches across systems.