Bug ID 600732: IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,

Fixed In:

Opened: Jun 22, 2016

Severity: 3-Major


The IKEv1 racoon daemon can crash when a security association (SA) is deleted (which can be done either explicitly on the command line, or indirectly by changing the ike-peer definition in config via tmsh). Usually this crash also requires that the ike-peer be altered or removed at the same time. Note: Merely altering a v1 ike-peer causes the racoon daemon to first delete the old ike-peer, and then add a new one. So 'modify' effectively means 'delete' in this bug context.


IKEv1 racoon daemon restarts, and then tunnel outage until new SAs are negotiated.


When a v1 ike-peer is changed in any way while the racoon daemon actually has a valid security association in current use.


No workaround is known at this time.

Fix Information

When a v1 ike-peer changes, which causes the racoon daemon to delete and then redefine the peer, existing security associations are also deleted (because they were only valid for the last definition). During the process of tearing things down, it was possible for a security association to access the old, destroyed ike-peer during a late-stage followup action. This is now prevented.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips