Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6
Fixed In:
13.0.0, 12.1.3.7
Opened: Aug 30, 2016 Severity: 2-Critical
The IKEv1 racoon daemon can crash and restart when a v1 ike-peer is removed entirely from the config, or simply changed from v1 to v2.
IKEv1 racoon daemon restart that causes tunnel outage until re-established by future traffic.
When you remove an ike-peer whose version is v1, including any change from version v1 to v2 (since this has the effect of changing who handles that peer from the racoon daemon to tmm).
None.
Validity of a v1 ike-peer inside the racoon daemon is more carefully checked. This release also prevents stale references from old security associations when a peer is removed. Note: A peer can be removed by complete erasure, or by changing the version to v2 so the IKEv1 racoon daemon no longer handles it.