Bug ID 948101: Pair of phase 2 SAs missing after reboot of standby BIG-IP device

Last Modified: Feb 26, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1

Opened: Sep 24, 2020
Severity: 2-Critical

Symptoms

In the case of IPsec traffic-selector narrowing during tunnel negotiation, Security Associations (SAs) may not be mirrored to the Standby after the Standby is rebooted.

Impact

IPsec SAs may not be mirrored to the Standby device. If a failover occurs, the newly Active device cannot handle previously established tunnels.

Conditions

- BIG-IP systems configured in High Availability (HA). - Mirroring is configured. - The Standby system reboots.

Workaround

Configure traffic-selectors to match exactly on both IPsec peers.

Fix Information

None

Behavior Change