Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: Jan 16, 2016 Severity: 3-Major
IPsec does not remove IKE-SA on change traffic selector. As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.
This might result in significant delays in communication.
Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.
Delete SA manually. Note: This workaround might not be possible.
IPsec now removes IKE-SA on change traffic selector, so SA status now matches across systems.