3.5.4.1 Start of an IKE MM SA Negotiation

As part of the construction of message #1 for a new MM SA negotiation (as specified in [RFC2409] section 5), a fast failover-supporting host MUST include a "Vid-Initial-Contact" vendor ID payload (that is, a vendor ID payload that is generated using the vendor ID string "Vid-Initial-Contact", as specified in [RFC2408] section 3.16) if the host does not have any active MM SAs to the peer. This is determined by looking up the MMSAD using the peer IP address.

In addition, the host MAY also add the "Vid-Initial-Contact" vendor ID payload to message #1 if it has no open TCP connections to the peer and if new connection attempts cause the retransmission of SYN packets.<20>