On a R65 cluster... we had our main internet link die for a for minutes, since then from SecureView Monitor I noticed there was a problem with clusterXL on one of the nodes, I therefore failed over and restarted the node. Once is was back up both nodes (running in HA) became active - which worried me, so I restarted the other node, at that point the operation of clusterXL has looked ok, one node active, one standby.
From our logs a VPN we have has been reporting the following errors..
Quote:
Number: 3106338
Date: 18Apr2008
Time: 16:12:41
Product: VPN-1 Power/UTM
Interface: daemon
Origin: xxxxxxxxxxxxx
Type: Log
Action: Drop
Protocol: ip
Source: xxxxxxxxxxxxx
Rule: 0 - Implied Rules
Information: encryption failure: Unknown SPI: 0x5cf5657c for IPsec packet.
Encryption Scheme: IKE
Subproduct: VPN
VPN Feature: IKE
VPN Peer Gateway: xxxxxxxxxxxxx |
Quote:
Number: 3106351
Date: 18Apr2008
Time: 16:13:09
Product: VPN-1 Power/UTM
Interface:
Origin: xxxxxxxxxxxxx
Type: Log
Action: Drop
Protocol: ipv6-crypt
Source: xxxxxxxxxxxxx
Destination: xxxxxxxxxxxxx
Information: encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found
SmartDefense Profile: No Protection |
Obviously I've been required to moved specfic information regarding our nodes. I tired pushing a new policy, thinking the tunnel could be out of sync, since then the second node on the cluster as flagged errors again in clusterXL
cphaprob list shows...
Quote:
Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: problem
Time since last report: 900.7 sec |
and the tunnel still wont come up - any suggestion would be much appericated.
thanks in advance