Bug ID 969713: IPsec interface mode tunnel may fail to pass packets after first IPsec rekey

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1

Fixed In:
16.1.0, 15.1.4

Opened: Dec 04, 2020

Severity: 3-Major

Symptoms

IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.

Impact

IPsec tunnel suddenly stops forwarding packets across the tunnel

Conditions

-- IKEv2 -- IPsec tunnel uses interface mode ipsec-policy -- IPsec SAs are re-negotiated, for example after the SA lifetime expires -- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured

Workaround

-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.

Fix Information

IPsec tunnel forwards packets after IPsec SAs are re-established.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips