Bug ID 677937: APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3

Fixed In:
14.0.0, 13.1.1.4, 12.1.3.4

Opened: Aug 10, 2017
Severity: 2-Critical
Related AskF5 Article:
K41517253

Symptoms

APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Impact

No connectivity between the client and the server.

Conditions

This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Workaround

Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix Information

APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

Behavior Change