Bug ID 568182: IPsec does not send phase 2 delete.

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:

Opened: Jan 16, 2016
Severity: 3-Major


IPsec does not remove IKE-SA on change traffic selector. As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.


This might result in significant delays in communication.


Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.


Delete SA manually. Note: This workaround might not be possible.

Fix Information

IPsec now removes IKE-SA on change traffic selector, so SA status now matches across systems.

Behavior Change