Bug ID 595617: Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.2, 12.1.1, 12.1.0

Opened: May 25, 2016

Severity: 3-Major

Related Article: K40420553


When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.


A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.


- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1. - A user modifies ipsec-tunnel-profile. Namely found here: -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'. -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.


Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips