Bug ID 706423: tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.0.0, 13.1.0

Fixed In:
14.1.0, 14.0.0.3, 13.1.1.2, 12.1.3.6

Opened: Feb 13, 2018

Severity: 2-Critical

Symptoms

TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Impact

TMM restarts, disrupting traffic and causing HA failover.

Conditions

Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly. A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Workaround

Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix Information

Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens. Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips