NSR 8.2r1

  • Hi All,

    Has anyone been using NSR 8.2r1 with ScreenOS 4.0.3r2???

    I have had quite a few customers now reporting problems with VPN connectivity. The issue seem to mainly occur when using the virtual adapter.

    The symptom is that Phase1 and Phase2 complete and the event log on the netscreen device show Phase2 successfully completed, as does the NSR log. However, a few seconds after NSR has loaded the IPSec SA a “PAYLOAD_MALFORMED” error appears in the log and the VPN is disconnected. The following messages appear in the log when the VPN fails:

    13:18:14.005 My Connections\Troika VPN - Loading IPSec SA (Message ID = 22BB2B13 OUTBOUND SPI = 940EE37E INBOUND SPI = F745E060)

    13:18:14.005 6-25: 13:18:15.907 My Connections\Troika VPN - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:PAYLOAD_MALFORMED)

    13:18:15.907 My Connections\Troika VPN - Discarding IPSec SA negotiation (message id: 22BB2B13)
    13:18:15.907 My Connections\Troika VPN - Deleting IPSec SA (OUTBOUND SPI = 940EE37E INBOUND SPI = F745E060)

    Anyone else using these version and had problems?



    P.S. Looks like back revving to NSR 8.1r3 things are ok???

  • 8.3r1 downloaded, installed and now works with SecurID!!! 🙂

    Hurrah…looks like lots of other issues have also been sorted…


  • rng - any update on the full release?? - hoping this will be 8.2r2???


  • Thanks rng - I will wait for the official release before passing onto customers , but thanks for the info…1-2 weeks is cool


  • JJ,
    There is a patch for SecurID available, but it is still using a Safenet brand. I anticipate a full release, with numerous fixes for 8.2r1 within the next week or two.

    If you really need it, send me a private note, and I’ll post it on my private FTP server so you can download it.

  • Still no SecurID fix 😞

  • Engineer

    Will immediatly check for it. Thanks foir the update …

  • JJ,
    No update on the SecurID issue, unfortunately. Safenet needs a sample token, with the user set up, of course, so they can reproduce the problem from their side. So far, they haven’t been able to. I’m not savvy enough to set up the whole SecurID/ACE server to reproduce this problem

    There is a patch available on the client side for the Malformed Payload issue. I believe it is 10.0.3.

  • rng >> any news on the SecurID problems???


    P.S. Thanks for the update on the payload_malformed issue.

  • Engineer

    Patch on the client side ??? support doesn’t speak about this.

    They send me patch per device with but I prefer wait for released version of screenOS before ask customers to upgrade !!

  • NSR 8.2r1 has many problems. It has extremely high visibility with Safenet because of all the problems. There are patches available on both the NetScreen side, and NSR side for the malformed payload issue.

    It’s best to open up a trouble ticket to obtain these patches.

  • Just found out that 8.2r1 has also broken SecurID functionality…doh!!!

    What does work in 8.2r1??? 😢 😢


  • hmm…thought so…

    I guess they will include the bug fixes into other versions as time goes on…


  • hmm…thought so…

    I guess they will include the bug fixes into other versions as time goes on…


  • Engineer

    Quite sure, you need to take a look at the release note to see which features has been introduced with 4.0.3 and see if you are concerned.

  • ah ok…but surely if I go to 4.0.1r11 I will lose some of the 4.0.3 functionality???


  • Engineer

    This is not exactly the case.
    the R number (r1, r2, r3) indicated bug correction for a same release.
    the X number (4.x) indicate screenOS feature change or several (a lot) bug correction.

    Then 4.0.2r11 is released later than 4.0.3r2.

  • @cyh:

    you need to look at the release date, not only the version number.

    cyh - bit of a strange answer - can you please elaborate…

    to my knowledge 4.0.3r2 and 8.2r1 ARE the latest builds and have the latest release dates…


  • you need to look at the release date, not only the version number.

  • cyh - are you sure??? I am using 8.2r1 with 4.0.3r2 and still getting the problem…

    I agree downgrading to 7.x fixes it, but this also introduces other bugs and removes some functionality 😞

    Hope NS sort out the client side pretty soon…