Bug ID 816205: IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Aug 20, 2019
Severity: 3-Major


ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.


ICMP packets arriving on the server-side are not forwarded to the client-side.


-- BIG-IP system is forwarding ESP (protocol 50) packets. -- Virtual Server is configured with a SNAT pool or automap. -- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.


Option 1: -- Enable NAT Detection (RFC 3947) on the IPsec peers. NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers. Option 2: -- Remove NAT from the Virtual Server. -- Set the following sys db values: # tmsh modify sys db ipsec.lookupip value "enable" # tmsh modify sys db ipsec.lookupspi value "disable" NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.

Fix Information

ICMP protocol 50 unreachable messages from the server-side are forwarded to the client-side.

Behavior Change