Bug ID 778317: IKEv2 HA after Standby restart has race condition with config startup

Last Modified: Jan 07, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 15.0.0, 15.0.1, 15.0.1.1

Fixed In:
15.1.0

Opened: Apr 30, 2019
Severity: 1-Blocking

Symptoms

A restarted standby system can end up with missing SAs, if the high availability (HA) process that mirrors the SAs from persistent storage runs before the configuration of IPsec has completed.

Impact

A tunnel outage can occur (until SAs are renegotiated) after failover, if the newly active system lost some mirrored SAs when it was restarted while still acting as the standby system. The impact cannot be observed until standby becomes active, when the missing SAs require a new key negotiation.

Conditions

The loss of mirrored SAs requires this sequence of events: -- A system becomes standby after failover; then is restarted. -- During restart, HA manages to run before IPsec configuration. -- SAs unsupported by current config are lost despite mirroring. -- After another failover, the newly active system is missing SAs.

Workaround

None.

Fix Information

A config-ready condition was added, allowing HA mirroring to wait for this after restart, so SAs can be mirrored with the necessary supporting configuration present. Configuration from daemons mcpd and tmpisecd cooperate to signal the config-ready condition after configuration is done.

Behavior Change