Bug ID 677937: APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,

Fixed In:

Opened: Aug 10, 2017

Severity: 2-Critical

Related Article: K41517253


APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.


No connectivity between the client and the server.


This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).


Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix Information

APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips