Bug ID 568182: IPsec does not send phase 2 delete.

Last Modified: Jan 16, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Jan 16, 2016
Severity: 3-Major

Symptoms

IPsec does not remove IKE-SA on change traffic selector. As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.

Impact

This might result in significant delays in communication.

Conditions

Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.

Workaround

Delete SA manually. Note: This workaround might not be possible.

Fix Information

IPsec now removes IKE-SA on change traffic selector, so SA status now matches across systems.

Behavior Change