Hmmm, I will try disabling offload, pretty sure I tried that before but may not have rebooted.
I have read about staying at version 1.7 if you run site to site VPN but nothing about on demand. I did have an issue going from 1.8.5 to 1.9 where I got no connectivity after the upgrade but I rebuilt the config from scratch and it was working fine until just recently. Everything else works great and I actually use the new application aware feature to handle both firewall rules and QoS so hate to give up those features.
I have read about staying at version 1.7 if you run site to site VPN but nothing about on demand. I did have an issue going from 1.8.5 to 1.9 where I got no connectivity after the upgrade but I rebuilt the config from scratch and it was working fine until just recently. Everything else works great and I actually use the new application aware feature to handle both firewall rules and QoS so hate to give up those features.