Bug ID 969713: IPsec interface mode tunnel may fail to pass packets after first IPsec rekey

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,

Fixed In:
16.1.0, 15.1.4

Opened: Dec 04, 2020

Severity: 3-Major


IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.


IPsec tunnel suddenly stops forwarding packets across the tunnel


-- IKEv2 -- IPsec tunnel uses interface mode ipsec-policy -- IPsec SAs are re-negotiated, for example after the SA lifetime expires -- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured


-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.

Fix Information

IPsec tunnel forwards packets after IPsec SAs are re-established.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips