Bug ID 778317: IKEv2 HA after Standby restart has race condition with config startup

Last Modified: May 23, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5

Opened: Apr 30, 2019
Severity: 1-Blocking

Symptoms

A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.

Impact

A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system. The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.

Conditions

The loss of mirrored SAs requires this sequence of events: -- A system becomes standby after failover; then is restarted. -- During restart, HA manages to run before IPsec configuration. -- SAs unsupported by current config are lost despite mirroring. -- After another failover, the newly active system is missing SAs.

Workaround

None.

Fix Information

None

Behavior Change