Bug ID 696113: Extra IPsec reference added per crypto operation overflows connflow refcount

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,

Fixed In:

Opened: Nov 24, 2017
Severity: 2-Critical


The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.


Unexpected tmm failover after refcount overflow.


When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.


There is no workaround at this time.

Fix Information

An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.

Behavior Change