Bug ID 749249: IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7

Fixed In:
15.1.0, 14.1.2.8

Opened: Nov 08, 2018

Severity: 2-Critical

Symptoms

IPsec tunnels fail to establish and CPUs go to 100%.

Impact

The CPU exhaustion may cause system instability. The tmm logs may contain large numbers of messages similar to the following: -- notice SA is not in LARVAL state when receives PFKEY UPDATE: src=50.1.1.53 dst=40.1.1.50 spi=0xc9cd688 proto=0x32 dir=0x1:IN reqid=0.0:0:0x10c81 state=1

Conditions

- IPsec tunnels configured. - System has multiple blades.

Workaround

For vCMP systems, provision the Guest on one blade only. There is no workaround for bare-metal systems.

Fix Information

An internal control-plane messaging loop has been fixed.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips