I patched one of our slave servers to NW6.5SP7. It was already at BM3.8sp5, and working without a problem. After NW6.5sp7, I cannot get the VPN to come back up. The master is still NW6.5SP6 (BM3.8SP4). I've re-generated and re-exchanged keys, rebooted both sides, and am still not connected.

See the following errors:

Could not make WAN connection to VPTUNNEL@64-x-x-x due to CSL Failure

...which is one of the other SLAVE servers, so maybe not an issue...But, why is it listing that one only when we have 5 other Slave sites?

Also, VPSLAVE doesn't load on its own, so when loaded manually it states:

VPMaster:Get Server Role Returned Error -603

...which happens to be the same error we had at another site we fixed by using an Internal-To-Novell-updated vpslave.nlm, but still didn't work on this current site.

I've run DSRepair, and have rebooted the server a few times with no luck.

The CSAUDIT log reports the following:

VPN -- Sun Nov 18 07:18:32 2007

VPN -- Sun Nov 18 07:18:32 2007
The VPTUNNEL is initializing.

VPN -- Sun Nov 18 07:18:32 2007
The VPTUNNEL has been initialized.

VPN -- Sun Nov 18 07:18:32 2007
Initiated an IP call to 64-x-x-x #This is the same IP from above

VPN -- Sun Nov 18 07:29:52 2007

VPN -- Sun Nov 18 07:29:52 2007
Waiting for connection from master.

It also looks like there is a bad static route on the Master. Unsure how it got there. But it does have the right one for the Slave's.

I am thinking of looking at the Post SP7 patches next to see if those might fix it...Your thoughts???

..Yes, I do realize it's recommended that we convert to IKE VPN. Can both types exist on the same Master? What are the implications?

BTW, after SP7, iManager is now broken, so I installed iManager 2.6 on a Windows box to manage in the meantime.