I'm just reporting this as two different ASG220 (rev 5) have given me this same issue. I went from v9.006-5 to the latest available, v9102-8, and everything worked fine when it came back up EXCEPT for an IPSEC connection we have. This is the most important connect we probably have, so I can't put the time in to diagnose further. Here is all the info I can give ya...
Here is a sample of the LIVE LOG for the ipsec session
2013:07:09-07:24:15 fw2 pluto[6684]: "S_CH-Vale" #86: cannot route -- route already in use for "X_CH-Vale"
2013:07:09-07:24:52 fw2 pluto[6684]: "S_CH-Vale" #85: max number of retransmissions (2) reached STATE_QUICK_R1
2013:07:09-07:24:55 fw2 pluto[6684]: "S_CH-Vale" #86: max number of retransmissions (2) reached STATE_QUICK_R1
2013:07:09-07:24:55 fw2 pluto[6684]: "S_CH-Vale" #84: received Delete SA payload: deleting ISAKMP State #84
2013:07:09-07:25:33 fw2 pluto[6684]: "S_CH-WWTP" #87: responding to Quick Mode
2013:07:09-07:25:34 fw2 pluto[6684]: "S_CH-WWTP" #87: IPsec SA established {ESP=>0xc7d0325e 0xb5ed8a3d 0x447d7f9a 0xc123fc3c
After updating our first firewall and finding the issue, I put the config on our backup and put it live and had no issues. I told it to update from 9.004-34 to the known good version of 9.006-5, but it went to 9.102-8 anyways (could have been something I did wrong, scheduled the 9.006-5 update for a specific time, only to find it kept going!)
Anywho, just wanted to report this. All my other IPSEC connections are working just fine, but this important one that connects our city to another didn't do so well on this update. Though, I didn't test it on 9.100016 or 9.101012.
Again, because of the importance of this connection, I'm simply pulling all info off it the device while I wait for the 9.006-5 u2d file is being downloaded. I'll still have the other device available on the newer version, but won't be able to do any live testing with it on the network as the downtime has already been too much.
This thread was automatically locked due to age.
