Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1
Fixed In:
13.0.0, 12.1.2
Opened: Oct 03, 2016 Severity: 2-Critical
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.