[greyfeld]

I am in the process of evaluating a Crossbeam C25. It was running NGX so I needed to update my test lab SmartCenter Server to NGX as well. After accomplishing this (may detail those issues later) and getting the object for the new firewall created, I tried to push an existing policy to the new firewall. When it tries to verify the policy and write out the new .pf file, it fails with error: stub identifier (vpn_enc_domain) "ip addresses" redefined. There are several of these error messages.

Looking at the .pf file, I can see what is happening. We have created a couple of remote Edge Wan HA configurations. In these configurations, I have set up two Edge boxes with the same internet facing IP address through which we manage the boxes. I also have an object for each of these in the firewall since they have different MAC addresses, license numbers, etc. but both have the same IP address for their object. When NGX is creating the policy file for the Crossbeam, it is creating these stub identifiers for each firewall and there are two entries, Edge1a and Edge1b, with the same IP address. Pushing the policy fails everytime as it chokes when it verifies the lines where Edge1b's entries are.

Does anyone know how to get around this problem? Thanks for you help!