SA540 firmware updates

Unanswered Question
Nov 6th, 2009

Is there any information on the timeline for the next update?  These devices are not working out for me the way I had hoped they would. They're severely crippled right now, and I'm seriously considering buying a couple of 5505's to replace them.

The site to site VPN tunnel quit working just now because the SA was expiring and I can't even get the two devices to reconnect.  I'm thinking I'm going to have to reset them both which is really inconvenient and would be a disaster if I had these installed at a client's site.  Here's what the log looks like. I had to disable and then re-enable the IPSEC policy just to get the connection to drop. The Drop button under VPN status wouldn't do it.

2009-11-06 09:52:06: INFO:  Beginning Identity Protection mode.

2009-11-06 09:52:06: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:52:06: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:52:06: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:52:06: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:52:37: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:52:48: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:52:48: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:53:06: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. 2d1475dccc14af39:0000000000000000

2009-11-06 09:53:20: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:53:31: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:53:31: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:53:31: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 09:53:31: INFO:  Beginning Identity Protection mode.

2009-11-06 09:53:31: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:53:31: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:53:31: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:53:31: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:54:02: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:54:02: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:54:02: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:54:31: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. 5826d0e38aaca567:0000000000000000

2009-11-06 09:54:33: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:54:39: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:54:39: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:54:39: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 09:54:39: INFO:  Beginning Identity Protection mode.

2009-11-06 09:54:39: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:54:39: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:54:39: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:54:39: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:55:10: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:55:15: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:55:15: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:55:39: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. e0693ad37691c8b3:0000000000000000

2009-11-06 09:55:46: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:55:52: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:55:52: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:55:52: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 09:55:52: INFO:  Beginning Identity Protection mode.

2009-11-06 09:55:52: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:55:52: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:55:52: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:55:52: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:56:23: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:56:25: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:56:25: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:56:52: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. 85886211c929c4e2:0000000000000000

2009-11-06 09:56:56: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:56:57: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:56:57: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:56:57: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 09:56:57: INFO:  Beginning Identity Protection mode.

2009-11-06 09:56:57: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:56:57: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:56:57: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:56:57: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:57:28: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:57:30: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:57:30: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:57:57: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. cfc6aa241938839f:0000000000000000

2009-11-06 09:58:01: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:58:01: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:58:01: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:58:01: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 09:58:01: INFO:  Beginning Identity Protection mode.

2009-11-06 09:58:01: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:58:01: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:58:01: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:58:01: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:58:32: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:58:38: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:58:38: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:59:01: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. 0fd82457926d614b:0000000000000000

2009-11-06 09:59:09: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 09:59:26: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 09:59:26: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 09:59:26: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 09:59:26: INFO:  Beginning Identity Protection mode.

2009-11-06 09:59:26: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 09:59:26: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 09:59:26: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 09:59:26: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 09:59:26: INFO:  Received Vendor ID: RFC 3947

2009-11-06 09:59:26: INFO:  Received Vendor ID: DPD

2009-11-06 09:59:26: INFO:  Received Vendor ID: KAME/racoon

2009-11-06 09:59:26: INFO:  For aa.aa.aa.aa[500], Selected NAT-T version: RFC 3947

2009-11-06 09:59:26: INFO:  Received Vendor ID: KAME/racoon

2009-11-06 09:59:26: INFO:  NAT-D payload matches for bb.bb.bb.bb[500]

2009-11-06 09:59:26: INFO:  NAT-D payload matches for aa.aa.aa.aa[500]

2009-11-06 09:59:26: INFO:  NAT not detected

2009-11-06 09:59:26: INFO:  ISAKMP-SA established for bb.bb.bb.bb[500]-aa.aa.aa.aa[500] with spi:26283b09e85bde22:6da25d30f01c7996

2009-11-06 09:59:26: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]

2009-11-06 09:59:27: INFO:  Initiating new phase 2 negotiation: bb.bb.bb.bb[0]<=>aa.aa.aa.aa[0]

2009-11-06 09:59:28: INFO:  IPsec-SA established: ESP/Tunnel aa.aa.aa.aa->bb.bb.bb.bb with spi=113045703(0x6bcf0c7)

2009-11-06 09:59:28: INFO:  IPsec-SA established: ESP/Tunnel bb.bb.bb.bb->aa.aa.aa.aa with spi=173861819(0xa5cebbb)

2009-11-06 10:47:29: INFO:  IPsec-SA expired: ESP/Tunnel bb.bb.bb.bb->aa.aa.aa.aa with spi=173861819(0xa5cebbb)

2009-11-06 10:47:29: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 10:47:29: INFO:  Initiating new phase 2 negotiation: bb.bb.bb.bb[0]<=>aa.aa.aa.aa[0]

2009-11-06 10:47:29: INFO:  IPsec-SA established: ESP/Tunnel aa.aa.aa.aa->bb.bb.bb.bb with spi=78945597(0x4b49d3d)

2009-11-06 10:47:29: INFO:  IPsec-SA established: ESP/Tunnel bb.bb.bb.bb->aa.aa.aa.aa with spi=178252860(0xa9fec3c)

2009-11-06 11:35:30: INFO:  IPsec-SA expired: ESP/Tunnel bb.bb.bb.bb->aa.aa.aa.aa with spi=178252860(0xa9fec3c)

2009-11-06 11:35:30: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 11:35:30: INFO:  Initiating new phase 2 negotiation: bb.bb.bb.bb[0]<=>aa.aa.aa.aa[0]

2009-11-06 11:35:30: INFO:  IPsec-SA established: ESP/Tunnel aa.aa.aa.aa->bb.bb.bb.bb with spi=35188304(0x218ee50)

2009-11-06 11:35:30: INFO:  IPsec-SA established: ESP/Tunnel bb.bb.bb.bb->aa.aa.aa.aa with spi=83619184(0x4fbed70)

2009-11-06 11:38:05: INFO:  Flushing SAs for peer "aa.aa.aa.aa" with spi 178252860

2009-11-06 11:38:05: ERROR:  failed to get iph2

2009-11-06 11:38:21: INFO:  Flushing SAs for peer "aa.aa.aa.aa" with spi 178252860

2009-11-06 11:38:21: ERROR:  failed to get iph2

2009-11-06 11:38:42: INFO:  Flushing SAs for peer "aa.aa.aa.aa" with spi 178252860

2009-11-06 11:38:42: ERROR:  failed to get iph2

2009-11-06 11:41:59: INFO:  Flushing SAs for peer "aa.aa.aa.aa" with spi 178252860

2009-11-06 11:41:59: ERROR:  failed to get iph2

2009-11-06 11:42:19: INFO:  Sending Informational Exchange: delete payload[]

2009-11-06 11:42:19: INFO:  purged IPsec-SA proto_id=ESP spi=83619184.

2009-11-06 11:42:19: INFO:  purged IPsec-SA proto_id=ESP spi=35188304.

2009-11-06 11:42:19: INFO:  an undead schedule has been deleted: 'pk_recvupdate'.

2009-11-06 11:42:19: INFO:  IPSec configuration with identifer "schehsites" deleted sucessfully

2009-11-06 11:42:19: WARNING:  no phase2 bounded.

2009-11-06 11:42:19: INFO:  Sending Informational Exchange: delete payload[]

2009-11-06 11:42:19: INFO:  Purged IPsec-SA with spi=178252860(0xa9fec3c).

2009-11-06 11:42:19: INFO:  Purged ISAKMP-SA with spi=26283b09e85bde22:6da25d30f01c7996.

2009-11-06 11:42:19: INFO:  an undead schedule has been deleted: 'purge_remote'.

2009-11-06 11:42:19: INFO:  IKE configuration with identifier "schehsites" deleted sucessfully

2009-11-06 11:48:11: INFO:  Adding IPSec configuration with identifier "schehsites"

2009-11-06 11:48:11: INFO:  Adding IKE configuration with identifer "schehsites"

2009-11-06 11:48:14: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 11:48:14: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 11:48:14: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 11:48:14: INFO:  Beginning Identity Protection mode.

2009-11-06 11:48:14: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 11:48:14: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 11:48:14: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 11:48:14: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

2009-11-06 11:48:45: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 11:49:01: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 11:49:01: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 11:49:03: INFO:  accept a request to establish IKE-SA: aa.aa.aa.aa

2009-11-06 11:49:03: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 11:49:14: ERROR:  Phase 1 negotiation failed due to time up for aa.aa.aa.aa[500]. b3faa9158ac31cc7:0000000000000000

2009-11-06 11:49:32: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP aa.aa.aa.aa->bb.bb.bb.bb

2009-11-06 11:49:34: ERROR:  Invalid SA protocol type: 0

2009-11-06 11:49:34: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.

2009-11-06 11:49:37: INFO:  Using IPsec SA configuration: dd.dd.dd.dd/24<->cc.cc.cc.cc/24

2009-11-06 11:49:37: INFO:  Configuration found for aa.aa.aa.aa.

2009-11-06 11:49:37: INFO:  Initiating new phase 1 negotiation: bb.bb.bb.bb[500]<=>aa.aa.aa.aa[500]

2009-11-06 11:49:37: INFO:  Beginning Identity Protection mode.

2009-11-06 11:49:37: INFO:   [ident_i1send:178]: XXX: NUMNATTVENDORIDS: 3

2009-11-06 11:49:37: INFO:   [ident_i1send:182]: XXX: setting vendorid: 4

2009-11-06 11:49:37: INFO:   [ident_i1send:182]: XXX: setting vendorid: 8

2009-11-06 11:49:37: INFO:   [ident_i1send:182]: XXX: setting vendorid: 9

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven Smith Fri, 11/06/2009 - 10:36

Would you mind opening a TAC case for this?  It will help us better track the issue.  Please PM me the case number.  I will make sure this gets proper attention.

b.fivelson Thu, 04/22/2010 - 14:57

I believe I have the same problem with a SA 520W

My ASA5505s are working no problem

These drop off and dont come back

weilia Thu, 04/22/2010 - 18:10

Hi,

the latest firmware 1.1.42 fixed quite a few VPN issues.
Could you please try the latest firmware ?


thanks
wei

b.fivelson Thu, 04/22/2010 - 19:17

I am using the latest firmware 1.1.42

This is a dynamic tunnel hosted by an asa

If the internet goes out at the main site then the SA520s do not reestablish the vpn

I have remote asas that do reestablish the VPNs

I have been rebooting the SA520s to bring them back up

weilia Fri, 04/23/2010 - 08:11

Could you please send us your ASA and SA 500 config ? If not, we'll try our best to reproduce this issue.

thanks

wei

b.fivelson Tue, 04/27/2010 - 20:35

Hello,

I believe I noticed in the log that it said sa expired over and over again before I had to reboot sa to bring tunnel backup

Disabling and enabling the vpn policies do not bring the tunnel backup, I have to reboot the sa to establish the vpn connection

IKE

3des SHA1

RSA

86400 lifetime

G2 1024

Dead peer 10 3

IPSEC

SA lifetime 4608000 kbytes

PFS G2 1024

4 sites

Main site

ASA

Static IP

Dynamic VPN

2 vlans

Site 1 and 2

Problems if the main internet goes down then the tunnels do not re-establish until I reboot sa. Disable and enable vpn policy does not work. Log says sa expired over and over again until reboot.

SA520W

Dynamic IP

2 Vlans each with a tunnel to main and other sites via the main

Site 4

ASA

dynamic ip

no problem vpn establishes automatically if internet goes down at main

1 vlan and tunnel to all sites via main

So about 10 Tunnels through the main ASA to interconnect all the sites

Hope this helps

I will try and remember to copy the log before I reboot it next time this happens

Let me know

Thank you

b.fivelson Wed, 04/28/2010 - 08:46

This time it brought my voice tunnel backup but not my data

2010-04-28 09:24:05: INFO: Received Vendor ID: CISCO-UNITY

2010-04-28 09:24:05: INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2010-04-28 09:24:05: INFO: Received unknown Vendor ID

2010-04-28 09:24:05: INFO: Received unknown Vendor ID

2010-04-28 09:24:05: INFO: NAT-D payload matches for 98.165.134.100[500]

2010-04-28 09:24:05: INFO: NAT-D payload matches for 68.14.223.211[500]

2010-04-28 09:24:05: INFO: NAT not detected

2010-04-28 09:24:05: INFO: Received Vendor ID: DPD

2010-04-28 09:24:05: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/CN=cmcis-fw-1.cmcis.local

2010-04-28 09:24:05: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/DC=local/DC=CMC/CN=cmc-shelly.cmc.local

2010-04-28 09:24:05: INFO: ISAKMP-SA established for 98.165.134.100[500]-68.14.223.211[500] with spi:13d5cc6ba77e6eed:9a0620d846fad6a4

2010-04-28 09:24:05: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]

2010-04-28 09:24:24: INFO: Using IPsec SA configuration: 10.99.7.0/24<->10.99.9.0/24

2010-04-28 09:24:24: INFO: Configuration found for 68.14.223.211.

2010-04-28 09:24:24: INFO: Initiating new phase 2 negotiation: 98.165.134.100[0]<=>68.14.223.211[0]

2010-04-28 09:24:25: INFO: IPsec-SA established: ESP/Tunnel 68.14.223.211->98.165.134.100 with spi=266437252(0xfe18284)

2010-04-28 09:24:25: INFO: IPsec-SA established: ESP/Tunnel 98.165.134.100->68.14.223.211 with spi=867557109(0x33b5def5)

2010-04-28 09:24:59: INFO: IPsec-SA expired: ESP/Tunnel 68.14.223.211->98.165.134.100 with spi=68388413(0x413863d)

2010-04-28 09:26:08: INFO: IPsec-SA expired: ESP/Tunnel 68.14.223.211->98.165.134.100 with spi=248872166(0xed57ce6)

2010-04-28 09:27:17: INFO: IPsec-SA expired: ESP/Tunnel 68.14.223.211->98.165.134.100 with spi=131380071(0x7d4b367)

2010-04-28 09:28:25: INFO: IPsec-SA expired: ESP/Tunnel 68.14.223.211->98.165.134.100 with spi=222149893(0xd3dbd05)

2010-04-28 09:29:33: INFO: IPsec-SA expired: ESP/Tunnel 68.14.223.211->98.165.134.100 with spi=244701974(0xe95db16)

beowulfs Fri, 04/23/2010 - 08:46

Since I'm still copied on this thread, I thought I'd respond.  I still use my Sa540's but only as expensive gigabit routers.  They don't nat, don't do VPN, and have the firewall turned off.  I'm using asa5505's in front of them.  This way i can still connect my iPad and iPhone with VPN since we won't see apple ssl VPN for the iPhone until the summer and the iPad in the fall.  I couldn't spend any more time trying to troubleshoot a non-beta device.  In the end the Asa approach was cheaper.

Brian Bergin Wed, 08/18/2010 - 17:22

After not having this problem on 1.1.42 it appears to be back in 1.1.65.  I get this in VPN logs:

2010-08-18 15:39:07: INFO:  remote configuration for identifier "FQDN_here" found
2010-08-18 15:39:07: ERROR:  Identity Protection mode of 0.0.0.0[500] is not acceptable.
2010-08-18 15:39:08: INFO:  Flushing SAs for peer "FQDN_here" with spi 2136572931
2010-08-18 15:39:09: ERROR:  failed to get iph2

Reboots don't seem to help.  Anyone find a permanant solution?

Actions

This Discussion