Bug ID 686124: IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3

Fixed In:
14.0.0, 13.1.1.4, 12.1.3.7

Opened: Sep 28, 2017

Severity: 2-Critical

Related Article: K83576240

Symptoms

Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Impact

IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Conditions

Events causing deletion of phase one IKE SAs.

Workaround

None.

Fix Information

Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips