[firewallstarter]

I am having a problem using Secure Client on a High Availablility pair of Nokia firewalls running VRRP. Everything works fine when I failover to the backup firewall the transition is smooth and the state is preserved. I don't drop a packet. After 60 mins however all Secure Client connections have dropped. ie when they try to renegotiate phase 2 they fail. It looks like the back up firewall can't handle things when the key is rotated after 60 mins.

I see error messages in the log like this.

encryption failure: Unknown SPI: 0xa051f477 for UDP encapsulated IPsec packet.
encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found



NAT Tracersal mechanism (UDP Encapsulation) Allocated port: VPN1_IPSEC_encapsulation for Remote Access connections is set. The Secure Clients are not behind any NAT devices

FIrewall builds are Check Point VPN-1(TM) & FireWall-1(R) NGX (R61) HFA_02, Hotfix 602 - Build 022
kernel: NGX (R61) HFA_02, Hotfix 602 - Build 022
running on Nokia IPSO 4.1-BUILD022
IP390s Hard Disk based

The management servers are on Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006
on Check Point SecurePlatform Pro NGX (R65) Build 123

The Secure Client is R60 HFA02

Any help on this matter would be appreciated.

FWS