On 3/16/06, Steven S <[EMAIL PROTECTED]> wrote: > Are these messages "normal" for a carped pair of firewalls running isakmpd > with sasyncd (3.8-stable)?
This happened to me until I changed the default lifetimes in isakmpd.conf. I have a road-runner setup, so exchanges are always initiated by the remote peer. What happened after a fail-over was that the Main Mode exchange was still valid, but isakmpd on the new master didn't have a clue (sasyncd has nothing to do with isakmpd). Setting Default-phase-1-lifetime < Default-phase-2-lifetime forces a new main mode exchange in case of a fail-over. /martin > FW1/master - /var/log/message: > Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) > 222729dc227c8f28 a0d29ef92ee65243 > Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port > 500 due to notification type INVALID_COOKIE > Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) > 222729dc227c8f28 a0d29ef92ee65243 > Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port > 500 due to notification type INVALID_COOKIE > > FW2/backup - /var/log/message: > Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on > exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 > Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on > exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 > > -Steve S.