Bug ID 568182: IPsec does not send phase 2 delete.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0

Opened: Jan 16, 2016

Severity: 3-Major

Symptoms

IPsec does not remove IKE-SA on change traffic selector. As result there are uneven SA status between IPsec devices and it can cause significant delay in communication.

Impact

This might result in significant delays in communication.

Conditions

Change traffic selector on one device, and force delete SA on the same device, but do not propagate to the other one.

Workaround

Delete SA manually. Note: This workaround might not be possible.

Fix Information

IPsec now removes IKE-SA on change traffic selector, so SA status now matches across systems.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips