Bug ID 999021: IPsec IKEv1 tunnels fail after a config sync from Standby to Active

Last Modified: Sep 23, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4, 16.0.0,, 16.0.1,

Fixed In:

Opened: Mar 03, 2021
Severity: 3-Major


When racoon (the IKEv1 daemon) sees a tunnel config change, which occurs due to a config sync from the standby device, the change causes tmm and racoon to have conflicting views on the state of that tunnel. If the IKEv1 tunnel is up at the time of the config change, tmm fails to restart the tunnel.


IPsec IKEv1 tunnels fail and do not start again.


-- IPsec IKEv1 tunnel in use. -- Changes made to IPsec IKEv1 tunnel on the Standby BIG-IP device, which are then sync'd to the Active BIG-IP device. -- And/or a full config sync from the Standby to Active BIG-IP system.


-- Do not make changes to IPsec IKEv1 tunnels on the Standby device. -- Avoid full syncs from Standby to Active. How to recover when the problem occurs: -- Disable the affected ike-peer and re-enable it.

Fix Information

IKEv1 tunnels are able to negotiate after Standby to Active config sync.

Behavior Change