Bug ID 686124: IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.2, 12.1.3,,,,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,

Fixed In:

Opened: Sep 28, 2017

Severity: 2-Critical

Related Article: K83576240


Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.


IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.


Events causing deletion of phase one IKE SAs.



Fix Information

Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips