Bug ID 570818: Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1

Opened: Jan 29, 2016
Severity: 3-Major
Related AskF5 Article:
K80253050

Symptoms

LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Impact

Failure in establishing IPsec SA.

Conditions

Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Workaround

None.

Fix Information

Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.

Behavior Change