Last Modified: Feb 15, 2019
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 13.1.0, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 13.1.1, 18.104.22.168, 14.0.0, 22.214.171.124, 126.96.36.199
14.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11
Opened: Feb 13, 2018
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
TMM restarts, disrupting traffic and causing HA failover.
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly. A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens. Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.