Bug ID 675718: IPsec keeps failing to reconnect

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3.6

Opened: Jul 26, 2017
Severity: 3-Major

Symptoms

When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Impact

IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Conditions

-- The BIG-IP system and remote peer communicate over a lossy network. -- The remote peer prematurely deletes an IPsec SA.

Workaround

Manually delete the SA.

Fix Information

Corrected an environmental problem with the racoon daemon.

Behavior Change