Bug ID 897509: IPsec SAs are missing on HA standby, leading to packet drops after failover

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0, 15.1.4.1

Opened: Apr 09, 2020
Severity: 2-Critical

Symptoms

IPsec Security Associations (SAs) are missing on the standby high availability (HA) device.

Impact

During an HA failover, IPsec tunnels may be disrupted because the newly active device is not aware of some IPsec SAs.

Conditions

-- HA mirroring is configured -- IKEv2 tunnels are started

Workaround

None

Fix Information

IPsec SAs are now mirrored correctly to the HA standby device. Note that HA failover for IPsec tunnels is only supported when IKEv2 tunnels are in use.

Behavior Change