[c-nsp] PIX 515e - NetScreen 25 VPN : standby PIX crashing

[Andy Ashley]

Hi All,

We have a pair of Cisco PIX 515e's configured in a HA setup with LAN 
based stateful failover.
A few weeks back we were asked to configure a site to site VPN for a 
client. The remote site is using a NetScreen 25.

Ever since configuring this VPN the standby PIX unit has been crashing 
at odd intervals.
Much Googling and seaching of mailing lists has not turned up much 
besides a brief description of the error message.

 From the logs:

Sep 19 15:17:32 FWL02b/FWL02b %PIX-6-602303: IPSEC: An inbound 
LAN-to-LAN SA (SPI= 0xC2D85BA3) between 81.19.x.x and 217.205.x.x (user= 
217.205.x.x) has been created.
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715046: Group = 217.205.x.x, IP = 
217.205.x.x, constructing blank hash payload
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715046: Group = 217.205.x.x, IP = 
217.205.x.x, constructing IPSec delete payload
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715046: Group = 217.205.x.x, IP = 
217.205.x.x, constructing qm hash payload
Sep 19 15:17:32 FWL02b/FWL02b %PIX-3-713235: Group = 217.205.x.x, IP = 
217.205.x.x, Attempt to send an IKE packet from standby unit. Dropping 
the packet!
Sep 19 15:17:32 FWL02b/FWL02b %PIX-1-713900: IKEQM_P2Cleanup() Error - 
centry->refCnt less than 0 !
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715007: Group = 217.205.x.x, IP = 
217.205.x.x, IKE got a KEY_ADD msg for SA: SPI = 0x0be58f8a
Sep 19 15:17:32 FWL02b/FWL02b %PIX-7-715077: Group = 217.205.x.x, IP = 
217.205.x.x, Pitcher: received KEY_UPDATE, spi 0xc2d85ba3

As I understand it, the standby unit should never form a security 
association, unless the primary dies and failover to the standby unit 
occurs.
I was wondering if anyone has experienced similar behaviour or has any 
theories about why this is occuring?

Any thoughts or comments would be much appreciated..

Thanks.

Regards,
Andy.