I am currently experiencing the same issue, related to IKE traffic that is sent via the firewall. The related VPN tunnel does not terminate at the firewall, however the tunnel seems to get killed after a policy install. We are running GAIA R80.20, Jumbo Take 47 in VSX cluster VSLS mode [I don't think the software is related to this].
As mentioned in sk103598, Scenario 3, I have tried the first solution, by over writing the global domain settings for ESP and setting a check mark for the option "Keep connections open after the policy has been installed". Still, after a policy install I am seeing the following message via "fw ctl zdebug + drop | grep <related_ip>" (output obfuscated):
[Expert@FIREWALL:2]# fw ctl zdebug + drop | grep 'x.x.x.x'
@;2413646;[vs_2];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=50 y.y.y.y:57794 -> x.x.x.x:17788 dropped by fw_handle_old_conn_recovery Reason: Other protocol packet that belongs to an old connection;
@;94946841;[kern];[tid_24];[SIM-206973856];simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn:<y.y.y.y,0,x.x.x.x,0,50>, fw_key:<x.x.x.x,0,y.y.y.y,0,50> !;</x.x.x.x,0,y.y.y.y,0,50></y.y.y.y,0,x.x.x.x,0,50>
Now I am thinking about the second solution described in the mentioned SK;
"2) Allow all traffic to persist past a policy push. Open the firewall (cluster) objects properties, expand Advanced and select Connection Persistence. Select "Keep all connections"."
Here my question is: What exactly is the outcome of this change? Are old connections allowed even after the related rule which allowed them before has been deleted? Or is the security policy still checked and when the rule that allowed a specific connection has not been touched the connection is kept?
Thanks for any reply.