IPsec Responding to Main Mode AFTER initiating Quick Mode

Hi all,

I am experiencing a very strange behavior with an IPsec tunnel between a customer's site (Checkpoint) and our UTM9:

It seems to me that every evening at the same time our customer kills all IPsec connections - somewhat ungracefully.

Then the next morning our IPsec tunnel is sometimes online sometimes offline, but anyhow I see the following log entries whenever I try to ping something through the tunnel:

2018:03:09-08:03:16 utm-1 pluto[7368]: "S_REF_IpsSitXXX_0" #227715: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#224532}
2018:03:09-08:03:16 utm-1 pluto[7368]: packet from 212.183.15.178:500: ignoring Vendor ID payload [FRAGMENTATION]
2018:03:09-08:03:16 utm-1 pluto[7368]: packet from 212.183.15.178:500: ignoring Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d5aa231b4...]
2018:03:09-08:03:16 utm-1 pluto[7368]: "S_REF_IpsSitXXX_0" #227716: responding to Main Mode
2018:03:09-08:03:16 utm-1 pluto[7368]: "S_REF_IpsSitXXX_0" #227716: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
2018:03:09-08:03:16 utm-1 pluto[7368]: "S_REF_IpsSitXXX_0" #227716: sent MR3, ISAKMP SA established
2018:03:09-08:03:16 utm-1 pluto[7368]: "S_REF_IpsSitXXX_0" #227716: received Delete SA payload: deleting ISAKMP State #224532

I understand that our utm tries to initiate a quick mode, as the main mode is not expired yet (at least from our point of view), but then it receives a Main Mode response from the customer's firewall?

After theese entries no further quick mode or retry connects are logged and whenever I repeat the ping I am observing the same behavior and log entries. My workaround is to disable the IPsec profile and reenabling it again to force a full initialization of the tunnel.

could someone explain that behavior?

Thanks in advance!