Bug ID 755716: IPsec connection can fail if connflow expiration happens before IKE encryption

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0, 14.1.2.8

Opened: Jan 16, 2019
Severity: 2-Critical

Symptoms

IKEv2 negotiation fails, and tmm log shows the following error: notice [INTERNAL_ERR]: ikev2....: Invalid BIG-IP flow context

Impact

IKE Negotiation fails, so an SA cannot be established.

Conditions

Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Workaround

None.

Fix Information

Missing connection context is now replaced, so IKE negotiation can continue.

Behavior Change