Bug ID 747203: Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2

Fixed In:
15.1.0, 15.0.1.3, 13.1.3.2

Opened: Oct 18, 2018

Severity: 2-Critical

Symptoms

-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system. -- The BIG-IP system reports 'no flow found'. -- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Impact

NATT/ESP tunnel flows can end with a RST reset.

Conditions

-- Using IKEv2 with both NAT-T and interface mode. -- The BIG-IP is configured to use several tmm instances. -- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Workaround

None.

Fix Information

In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips