During rollout of BM3.8 we have a C2S problem.
All servers are running NW6.5-SP2 and BM3.8SP2 incl. all patches.
VPN Client is 3.8.7

S2S work fine on the VPN Master and 2 VPN Slave servers.
C2S works fine on Master.
C2S on slave: it seems that only one account works normal. All other
C2S connections (using the same machine!!!) get the following message
on the IKE screen:
Invalid payload length - HASH-PAYLOAD payload
IKEQMTimeoutHandler: Packet retransmit exceeded the limit! the SA
be deleted
The client xxxxx removed from vpninf

The client seems to hang at the status "negotiating and
authenticating" but after several minutes we get a message that IKE
didn't react on the start command (sorry for my poor translation into
English...), the timelimit was exceeded.

It's hard to believe that on the same machine a vpn login with one
user works, with other users not. I created different test users in
different containers - the same effect.
The same users which don't work on the slave can make a vpn login on
the master!!!