Bug ID 774361: IPsec High Availability sync during multiple failover via RFC6311 messages

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Apr 19, 2019

Severity: 2-Critical


After multiple failover events, BIG-IP can fail to coordinate with a remote peer via RFC6311 protocol messages, whose content can present the wrong message IDs, which are also marshalled in host byte order instead of network byte order.


IPsec tunnels experience a temporary outage until new security associations are negotiated.


When active and standby systems failover multiple times, and a newly active system must sync IDs with the newly standby system before exchanging messages with a remote peer to synchronize expected ID sequences.


No workaround is known at this time.

Fix Information

The following changes have been applied to RFC6311 messages: -- Values are now passed in bigendian network byte order. -- BIG-IP is willing to send messages after multiple failovers. -- Active always syncs with standby before putting IDs into messages.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips