New SRX 320 install (SRX300-JSB), upgrade from an SSG-20
About 25 or so Avaya IP Phones with IPSEC client firmware loaded. Using local/internal xauth database.
On initial installatiion, the 25 remote VPN client phones came up just fine (no changes were required on the client end) upon swapping out the SSG 20. Phase 1, Phase 2, phones register to the PBX on the LAN.
About a week later things got weird. No changes made to the config, but one morning some users are reporting their remote phones are not working. About half of them. I can see IKE and IPSEC SA's in the firewall as well as ike active-peers. Everything looks OK, but they are not getting inward to the PBX to register and are stuck there. No rhyme or reason as to who is working and who isn't and they are all configured identically.
So, just a shot in the dark I upgrade the firewall from 15.1X49-D70.3 to D75 last night.
The result of that was now only two phones will work - I can see 20 or so are suceeding with Phase 1, then Phase 2, getting an IP from the pool and end user reports it's "discovering" with means it's trying to register.
The two phones that do work I can't kill! I clear IKE and IPSEC SA and they bounce right back and register, but no others will.
Puttting the SSG 20 back in place resulted in all devices's tunnels coming up and working - no changes to client side needed.
I'm losing my mind. Is this some sort of strange hardware failure?