Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
15.1.0
Opened: Apr 30, 2019 Severity: 1-Blocking
A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.
A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system. The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.
The loss of mirrored SAs requires this sequence of events: -- A system becomes standby after failover; then is restarted. -- During restart, HA manages to run before IPsec configuration. -- SAs unsupported by current config are lost despite mirroring. -- After another failover, the newly active system is missing SAs.
None.
A config-ready condition was added, allowing HA mirroring to wait for this after restart, so SAs can be mirrored with the necessary supporting configuration present. Configuration from daemons mcpd and tmpisecd cooperate to signal the config-ready condition after configuration is done.