Hey Steve,
I have two logical external firewalls, each configured as 3.8-stable HA
pairs using PFSync, CARP, SASync etc.
One my first firewall I see exactly this with 1 VPN terminating to a
Checkpoint R60 (NGX) HA Cluster. However the VPN is 100% stable and VPN
fail over works 9 out of 10 times, on the 10th occasion failover appears
to work but no traffic flows.
On my second firewall I see no such entries, 3 x VPN's 2 terminating on
a GNAT1000 boxes (FreeSwan?) the other a single 3.8-stable box. 100%
stable VPN failover works everytime.
I have used the traditional isakmpd.conf method of configuring the
VPN's. In both cases the OBSD boxes replaced Checkpoint R55 boxes,
during my extensive testing with a R55 box at one end, non HA and OBSD
at the other I again saw no such entries. I therefore wonder if it could
be a R60 thing or a CP HA thing?
What IPSec device(s) are at the other end of your VPN(s)?
Steven S wrote:
Are these messages "normal" for a carped pair of firewalls running isakmpd
with sasyncd (3.8-stable)?
FW1/master - /var/log/message:
Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s)
222729dc227c8f28 a0d29ef92ee65243
Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port
500 due to notification type INVALID_COOKIE
Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s)
222729dc227c8f28 a0d29ef92ee65243
Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port
500 due to notification type INVALID_COOKIE
FW2/backup - /var/log/message:
Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on
exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500
Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on
exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500
-Steve S.
