After a failover occurs, active SecuRemote/SecureClient connections fail.Error message in the Info Field of the Log ViewerError: "encryption failure: packet is dropped as there is no valid SA"

The property "fwha_sync_outbound_sa" had not been changed from the default setting of "false" to "true" to allow the synchronization of outbound IKE Phase 2 SA's.

To resolve the problem, proceed as follows:

1. Close all open Policy Editors.

2. On the Management Server, run the command $FWDIR/bin/dbedit.

modify properties firewall_properties fwha_sync_outbound_sa true

5. Enter the following command:

update properties firewall_properties

6. Enter the command "quit".

7. Open the Policy Editor and install the policy on all cluster members. 8. Stop and restart the FireWall-1 service on each node by running cpstop/cpstart. 9. After the next full synchronization (which can be forced by rebooting the cluster nodes), the outbound SAs will be synchronized and SecuRemote/SecureClient connections will failover.