Bug ID 677937: APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,

Fixed In:

Opened: Aug 10, 2017
Severity: 2-Critical
Related AskF5 Article:


APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.


No connectivity between the client and the server.


This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).


Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix Information

APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

Behavior Change