Bug ID 724143: IKEv2 connflow expiration upon ike-peer change

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 14.0.0.5, 13.1.1.4

Opened: Jun 14, 2018
Severity: 3-Major

Symptoms

Altering the definition of an ike-peer does not expire the connflow used for the tunnel, so it remains in use for the tunnel.

Impact

In effect, you cannot change the configuration of the flow by changing the peer definition.

Conditions

-- Making any change to an IKEv2 ike-peer, even insignificant changes such as a description change. -- Running a system version that has new attribute auth-rule inside ike-peer. Note: This is not likely to occur in older system versions where no ike-peer state exists inside a connflow, because any ike-peer changes do replace the associated objects. In those cases, even though the same connflow is used, the system uses new algorithms for the ike-peer.

Workaround

There is no workaround at this time.

Fix Information

Changes in ike-peer now expire any existing connflow for that ike-peer. This affects only a system version that has new attribute auth-rule inside ike-peer.

Behavior Change