No, had two other issues after R80.40 upgrade that were more pressing. Our cluster failed first if the second node was brought up, but got that fixed. Not entirely sure about the root cause. Then one working tunnel stopped working altogether, some compatibility issue with Juniper interoperable device that started with R80.40. That is now under investigation.

I had not see this personally in any version before. Are you using latest smart console version? Does it happen for every VPN tunnel?

I downloaded the latest after upgrading to R80.40 and with every vpn tunnel, I believe. Didn't try all of them, since there are quite many, but randomly chosen ones.

The version is SmartConsole Build 994000424, Version R80.40.

Can you send the screenshot of the error?

Thats odd TAC would tell you that, because at least 5 TAC engineers in the past I talked to told me their recommendation is always to have customers reset tunnel via vpn tu and not SV monitor. Personally, and I dont think this is really a secret, SV monitor has been known from long time ago not to give right info and even doing tunnel reset has been flaky, to say the least.

Vpn tu resets the tunnel, I have been using that.

Actually just noticed, that mgmt is running just R80.40, gw's are running R80.40 take 120 (latest). Have to try to upgrade mgmt.

Honestly, that would personally be my next step. Make sure mgmt is updated to latest code/jumbo and also that you are using latest smart console build. 

I will restart a VPN via SmartView Monitor in a couple of hours and see whats happen.

Regarding the problem I have with vpn tu and restart/reset... When i list all IPSec SAs for a given peer (4), I got (No IPSec SAs). Se below! When I do the "vpn tu tlist -p <IP OF THE PEER>"  I got information about 4 IPSEC sa for given peer. and MyTS/Peer TES and tunnel created/expiration shows the correct information.

4

SAs of all instances:

Enter IP of peer (format: xxx.xxx.xxx.xxx): xxx.xxx.xxx.yyy

Peer xxx.xxx.xxx.yyy, NAME SAs:

IKE SA <cfdcc12bda9f10aa,28dec611e06edc4c>
(No IPSec SAs)

-------

(4) Site-to-Site tunnels are up:
IPSEC 4
NAT-T 0

Ok, so that output literally shows that something is wrong with phase2 or is not coming up at all. If it shows IKE stuff, thats all phase 1, but if it shows you that there are no ipsec SAs, thats 100% sign that phase 2 is not coming up.

 Its up according to vpn tu tlist -p <IP OF THE PEER> and I have traffic in those IPSec SA:s but "vpn tu #4" doesn´t show the correct information...

(No IPSec SAs)

Ok, I see what you mean...thats odd. Maybe confirm with TAC, because that does not seem normal at all, as option 4 should reflect the status of the tunnel.