> The duplicate SA issue is happening to me almost exactly every 2
> hours today (give or take a few minutes).  Always src IP PIX, dst IP 
> m0n0wall public IP, single SA in the other direction.  Deleting all 
> the SA's for that connection makes it come back within a couple 
> seconds.

I've found several (similar) entries in your log that make me think that
both racoon and PIX do not use *exactly* the same settings:

    pfs group mismatched: my:2 peer:0

It would be interesting to get the PIX's log, too.

-- Vincent