Bug ID 837889: Duplicate traffic-selectors may result in failure while reloading the configuration or during upgrade

Last Modified: Jan 06, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Opened: Oct 11, 2019
Severity: 2-Critical

Symptoms

Configuring duplicate net ipsec traffic-selectors with one having interface mode ipsec-policy and another having non-interface mode ipsec-policy is allowed, but results in an error on reloading the config, and may fail during upgrades.

Impact

The configuration is allowed, but fails config reload and upgrade, giving the following error: 01070734:3: Configuration error: Duplicate traffic selector is not allowed.

Conditions

-- Adding a second traffic-selector that has the same values for all these five attributes: - destination-address - destination-port - source-address - source-port - ip-protocol. -- The second traffic-selector ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface'. -- The first traffic-selector has a non-interface ipsec-policy. Example of two duplicate traffic-sectors (trafsel1 and trafsel2): net ipsec ipsec-policy temp-ipsec-policy { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 } net ipsec ipsec-policy temp-ipsec-policy-interface { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy source-address 1.1.1.1/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy-interface source-address 1.1.1.1/32 source-port texar }

Workaround

Before upgrading: Ensure all pairs of duplicate traffic-selectors have an ipsec-policy configured and that, this ipsec-policy is in interface mode, i.e., has its 'mode' field set to 'interface', or ensure any one of the five attributes listed above is unique. This can be done in multiple ways: 1. Change the ipsec-policy of the traffic-selector to take an interace mode ipsec-policy: Example: net ipsec ipsec-policy temp-ipsec-policy { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 } net ipsec ipsec-policy temp-ipsec-policy-interface { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy-interface source-address 1.1.1.1/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy-interface source-address 1.1.1.1/32 source-port texar } 2. Change the mode of ipsec-policy (used by any duplicate traffic-selector) to 'interface'. Example: net ipsec ipsec-policy temp-ipsec-policy { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec ipsec-policy temp-ipsec-policy-interface { ike-phase2-auth-algorithm aes-gcm128 ike-phase2-encrypt-algorithm aes-gcm128 mode interface } net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy source-address 1.1.1.1/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy source-address 1.1.1.1/32 source-port texar } 3. Change any one of the five attributes to be unique, (e.g., source-address): net ipsec traffic-selector trafsel1 { ipsec-policy temp-ipsec-policy source-address 1.1.2.2/32 source-port texar } net ipsec traffic-selector trafsel2 { ipsec-policy temp-ipsec-policy-interface source-texar 1.1.1.1/32 source-port texar }

Fix Information

None

Behavior Change