Last Modified: Jul 12, 2023
Known Affected Versions:
12.1.2, 12.1.1, 12.1.0
Opened: May 25, 2016 Severity: 3-Major Related Article:
Related Article: K40420553
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1. - A user modifies ipsec-tunnel-profile. Namely found here: -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'. -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.