Last Modified: Jul 12, 2023
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 13.1.1, 126.96.36.199, 188.8.131.52, 14.0.0, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
14.1.0, 126.96.36.199, 188.8.131.52
Opened: Jun 14, 2018 Severity: 3-Major
Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.
In effect, you cannot change the configuration of the flow by changing the peer definition.
-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change. -- Running a system version that has new attribute auth-rule inside ike-peer. Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.
There is no workaround at this time.
Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.