- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x
The IPSEC Tunnel goes down at phase 2 rekeying with Checkpoint. Messages like the following ones are generated in the ike log:message_parse_payloads: reserved field non-zero: 2
dropped message from 220.127.116.11 port 500 due to notification type PAYLOAD_MALFORMED
Additionally, if multiple subnets are set up at a location, data can possibly not be transferred through all of the tunnel.
The rekeying mechanism fails because the isakmp uses the old SA and not the new one. The option KeepOneReplacedSA keep multiple instances of the SAs.
This option is enalbed as default wit KeepOneReplacedSA=1 in the isakmpd.conf. It is possible to change this value via the tunnel configuration. Maybe this option was manually disabled in the "RAW IPSec" settings.
If the option is really set to "0", then just delete the entry KeepOneReplacedSA=0 to enable the default settings.