Symptoms

When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.

Impact

A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.

Conditions

- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1. - A user modifies ipsec-tunnel-profile. Namely found here: -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'. -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.

Workaround

Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.

Fix Information

None

Behavior Change