Phase 2 problems after firewall failover

[firewallstarter]

I am having a problem using Secure Client on a High Availablility pair of Nokia firewalls running VRRP. Everything works fine when I failover to the backup firewall the transition is smooth and the state is preserved. I don't drop a packet. After 60 mins however all Secure Client connections have dropped. ie when they try to renegotiate phase 2 they fail. It looks like the back up firewall can't handle things when the key is rotated after 60 mins.

I see error messages in the log like this.

encryption failure: Unknown SPI: 0xa051f477 for UDP encapsulated IPsec packet.
encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found



NAT Tracersal mechanism (UDP Encapsulation) Allocated port: VPN1_IPSEC_encapsulation for Remote Access connections is set. The Secure Clients are not behind any NAT devices

FIrewall builds are Check Point VPN-1(TM) & FireWall-1(R) NGX (R61) HFA_02, Hotfix 602 - Build 022
kernel: NGX (R61) HFA_02, Hotfix 602 - Build 022
running on Nokia IPSO 4.1-BUILD022
IP390s Hard Disk based

The management servers are on Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006
on Check Point SecurePlatform Pro NGX (R65) Build 123

The Secure Client is R60 HFA02

Any help on this matter would be appreciated.

FWS

[firewallstarter]

This issue has been resolved successfully.

The problem was a combination of 2 configuration settings.

1. On the backup firewall the "Accept connections to VRRP IP address" wasn't enabled in IPSO. This should be enabled.

2. On the firewall cluster object the parameter "ike_support_crash_recovery_sr" was set to false. This should be set to true. This setting must be changed through the GUIDBedit tool or through vi.