We will create SK on Sunday.
To make it more clear in the meanwhile:
1. We are not talking about the narrowing issue which started this thread - Regarding the narrowing issue, there is a fix which still not part of the JHF (will be part of the next one, follow the JHF SK). If you need the fix (according to my guidance in my last respond on it), please contact TAC to get it - only customers who have narrowed tunnels.
2. Since there was a change in a VPN table in take 119, upgrade to this take *might* cause some outage on some tunnels when 1 member is running with take >119 and the other member with take < 119.
In order to overcome it, there are 2 options:
A. Upgrade both of the members at the same time during maintenance window
B. Add to fwkern.conf the following line:
and run this CLI - fw ctl set int fw_ha_vpn_handle_becaming_ready 1 on both members
This is not a bug which needs to be fix - future updates after that won't need this procedure anymore (when the initial state is both members running with take >= 120, prior to the upgrade).
I hope this is more clear now.
Please let me know if more details are needed.
IPsec VPN R&D group manager.