Bug ID 570783: Improved debug log for IKEv2 proposal transforms and payloads.

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.1.0

Opened: Jan 29, 2016

Severity: 3-Major

Symptoms

IKEv2 logs insufficiently for debugging, for proposal transforms, especially when compared to IKEv1 logging of transforms during negotiation. Insufficient info is shown to explain why an IKEv2 negotiation fails.

Impact

Diagnosing IKEv2 disagreement in transforms is hard without the new debug log info.

Conditions

If an IKEv2 negotiation fails due to proposal transform disagreement, examining /var/log/ipsec.log shows too few clues about what was wrong. When log-level is at least DEBUG, the log should give more debug info: tmsh modify net ipsec ike-daemon ikedaemon log-level debug. tmsh modify net ipsec ike-daemon ikedaemon log-level debug2.

Workaround

None.

Fix Information

Now /var/log/ipsec.log reveals clear detail about proposal transforms and payloads in /var/log/ipsec.log (and in tmm logs) when log level is at least DEBUG. Changing log level to debug works like this: tmsh modify net ipsec ike-daemon ikedaemon log-level debug. or tmsh modify net ipsec ike-daemon ikedaemon log-level debug2.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips