Bug ID 570783: Improved debug log for IKEv2 proposal transforms and payloads.

Last Modified: Apr 19, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.1.0

Opened: Jan 29, 2016
Severity: 3-Major

Symptoms

IKEv2 logs insufficiently for debugging, for proposal transforms, especially when compared to IKEv1 logging of transforms during negotiation. Insufficient info is shown to explain why an IKEv2 negotiation fails.

Impact

Diagnosing IKEv2 disagreement in transforms is hard without the new debug log info.

Conditions

If an IKEv2 negotiation fails due to proposal transform disagreement, examining /var/log/ipsec.log shows too few clues about what was wrong. When log-level is at least DEBUG, the log should give more debug info: tmsh modify net ipsec ike-daemon ikedaemon log-level debug. tmsh modify net ipsec ike-daemon ikedaemon log-level debug2.

Workaround

None.

Fix Information

Now /var/log/ipsec.log reveals clear detail about proposal transforms and payloads in /var/log/ipsec.log (and in tmm logs) when log level is at least DEBUG. Changing log level to debug works like this: tmsh modify net ipsec ike-daemon ikedaemon log-level debug. or tmsh modify net ipsec ike-daemon ikedaemon log-level debug2.

Behavior Change