Symptoms
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".
For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d
When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C
Impact
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.
Conditions
IKEv2 IPsec SAs are established or attempting to be established.
Workaround
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.
Fix Information
The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.
