Bug ID 747203: Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,

Fixed In:

Opened: Oct 18, 2018

Severity: 2-Critical


-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system. -- The BIG-IP system reports 'no flow found'. -- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.


NATT/ESP tunnel flows can end with a RST reset.


-- Using IKEv2 with both NAT-T and interface mode. -- The BIG-IP is configured to use several tmm instances. -- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.



Fix Information

In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips