Bug ID 747203: Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2

Fixed In:
15.1.0, 15.0.1.3, 13.1.3.2

Opened: Oct 18, 2018
Severity: 2-Critical

Symptoms

-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system. -- The BIG-IP system reports 'no flow found'. -- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Impact

NATT/ESP tunnel flows can end with a RST reset.

Conditions

-- Using IKEv2 with both NAT-T and interface mode. -- The BIG-IP is configured to use several tmm instances. -- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Workaround

None.

Fix Information

In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.

Behavior Change