Bug ID 651826: SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3.6

Opened: Mar 16, 2017
Severity: 5-Cosmetic

Symptoms

When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties". For example, the BIG-IP will render this: Spi(local): 0x3c4742cab016098c Spi(Remote): 0x959f0a013581e25d When the actual SPIs viewed on the peer device are: Local spi: 5DE28135010A9F95 Remote spi: 8C0916B0CA42473C

Impact

Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.

Conditions

IKEv2 IPsec SAs are established or attempting to be established.

Workaround

Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.

Fix Information

The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.

Behavior Change