Bug ID 778317: IKEv2 HA after Standby restart has race condition with config startup

Last Modified: Jul 07, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,, 15.0.0, 15.0.1,,,

Opened: Apr 30, 2019
Severity: 1-Blocking


A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.


A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system. The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.


The loss of mirrored SAs requires this sequence of events: -- A system becomes standby after failover; then is restarted. -- During restart, HA manages to run before IPsec configuration. -- SAs unsupported by current config are lost despite mirroring. -- After another failover, the newly active system is missing SAs.



Fix Information


Behavior Change