Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2
Fixed In:
16.1.0
Opened: Sep 24, 2020 Severity: 2-Critical
In the case of IPsec traffic-selector narrowing during tunnel negotiation, Security Associations (SAs) may not be mirrored to the Standby after the Standby is rebooted.
IPsec SAs may not be mirrored to the Standby device. If a failover occurs, the newly Active device cannot handle previously established tunnels.
- BIG-IP systems configured in High Availability (HA). - Mirroring is configured. - The Standby system reboots.
Configure traffic-selectors to match exactly on both IPsec peers.
During reboot, the IPsec object dependency chain is maintained.