Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 13.1.1, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 14.0.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 14.1.0, 184.108.40.206, 220.127.116.11, 18.104.22.168
Opened: Mar 19, 2019
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.
- IKEv2 Responder sends VENDOR_ID payload in rekey response. - The ipsec.log misleadingly reports: [I] [PROTO_ERR]: unexpected critical payload (type 43) Note: This message may be correctly present under other conditions, with different type constants not equal to 43.
No workaround is known at this time.