IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.9.2 bug fixes
System
High Availability - IPsec VPN
Support reference 74860
As the SAD's (Security Association Database) anti-replay counters are sent to the passive firewall, sequence numbers are incremented in line with the high availability (HA) mechanism's operating mode.
Whenever the passive firewall detected IPsec traffic in HA configurations (e.g. monitoring frames from virtual IPsec interfaces), it would also send incremented sequence numbers to the active firewall.
As a result of these successive increments, sequence numbers would quickly reach the maximum values allowed. This would then wrongly activate IPsec anti-replay protection and block traffic going through tunnels. This issue has been fixed.