Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.3.2
Opened: Jun 01, 2017 Severity: 2-Critical Related Article:
K77576404
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.
Tmm restarts. Traffic disrupted while tmm restarts.
-- Packet fragmentation. -- Packets are serviced by IPsec due to a matching policy for those packets.
You can prevent this using either of the following methods: -- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling. -- Modify MTU configuration so fragmentation does not happen. Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.
Now fragmented packets are handled correctly, and other flows cannot experience interference.