diff --git a/history.txt b/history.txt
index e47b217cf7..f358939f41 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,6 @@
+2018-08-26 zzz
+ * NTCP2: Publish outbound address after transition to firewalled
+
 2018-08-24 zzz
  * i2psnark: Better comment deduping, fixes rating average
  * NTCP2: Enable by default
@@ -36,7 +39,7 @@
 2018-07-27 zzz
  * Console: Split netdb output into pages
  * Router: Implement router.rejectStartupTime config (ticket #2285)
- * Transport: Defer NTCP 1/2 classifiation until receiving 64 bytes
+ * Transport: Defer NTCP 1/2 classification until receiving 64 bytes
 
 2018-07-21 zzz
  * Build: Add check for libtaglibs package in debian builds
diff --git a/router/java/src/com/southernstorm/noise/protocol/Noise.java b/router/java/src/com/southernstorm/noise/protocol/Noise.java
index f21184862a..595604a7e2 100644
--- a/router/java/src/com/southernstorm/noise/protocol/Noise.java
+++ b/router/java/src/com/southernstorm/noise/protocol/Noise.java
@@ -22,6 +22,7 @@
 
 package com.southernstorm.noise.protocol;
 
+import java.lang.reflect.InvocationTargetException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@@ -128,7 +129,11 @@ public final class Noise {
 			// java since 1.7; android since API 19
 			Class<?> c = Class.forName("javax.crypto.AEADBadTagException");
 			throw (BadPaddingException)(c.getDeclaredConstructor().newInstance());
-		} catch (Exception e) {
+		} catch (ClassNotFoundException e) {
+		} catch (InstantiationException e) {
+		} catch (IllegalAccessException e) {
+		} catch (InvocationTargetException e) {
+		} catch (NoSuchMethodException e) {
 		}
 		throw new BadPaddingException();
 	}
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 282c18b422..0725033fa6 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 2;
+    public final static long BUILD = 3;
 
     /** for example "-test" */
     public final static String EXTRA = "";
diff --git a/router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java b/router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java
index 5b6d912e4e..eea0071968 100644
--- a/router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java
+++ b/router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java
@@ -949,9 +949,13 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
      */
     public void gotRI(RouterInfo ri, boolean isHandshake, boolean flood) throws DataFormatException {
         // Validate Alice static key
-        String s = null;
         // find address with matching version
         List<RouterAddress> addrs = ri.getTargetAddresses(NTCPTransport.STYLE, NTCPTransport.STYLE2);
+        if (addrs.isEmpty()) {
+            _msg3p2FailReason = NTCPConnection.REASON_S_MISMATCH;
+            throw new DataFormatException("no NTCP in RI: " + ri);
+        }
+        String s = null;
         for (RouterAddress addr : addrs) {
             String v = addr.getOption("v");
             if (v == null ||
@@ -964,19 +968,19 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
         }
         if (s == null) {
             _msg3p2FailReason = NTCPConnection.REASON_S_MISMATCH;
-            throw new DataFormatException("no s in RI");
+            throw new DataFormatException("no s in RI: " + ri);
         }
         byte[] sb = Base64.decode(s);
         if (sb == null || sb.length != KEY_SIZE) {
             _msg3p2FailReason = NTCPConnection.REASON_S_MISMATCH;
-            throw new DataFormatException("bad s in RI");
+            throw new DataFormatException("bad s in RI: " + ri);
         }
         byte[] nb = new byte[32];
         // compare to the _handshakeState
         _handshakeState.getRemotePublicKey().getPublicKey(nb, 0);
         if (!DataHelper.eqCT(sb, 0, nb, 0, KEY_SIZE)) {
             _msg3p2FailReason = NTCPConnection.REASON_S_MISMATCH;
-            throw new DataFormatException("s mismatch in RI");
+            throw new DataFormatException("s mismatch in RI: " + ri);
         }
         _aliceIdent = ri.getIdentity();
         Hash h = _aliceIdent.calculateHash();
diff --git a/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java b/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java
index 191adea717..55c97a2695 100644
--- a/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java
+++ b/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java
@@ -1528,7 +1528,13 @@ public class NTCPTransport extends TransportImpl {
             // we are still firewalled (SW firewall, bad UPnP indication, etc.)
             if (_log.shouldLog(Log.INFO))
                 _log.info("old host: " + ohost + " config: " + name + " new: null");
-            newAddr = null;
+            if (_enableNTCP2) {
+                // addNTCP2Options() called below
+                newProps.clear();
+                newAddr = new RouterAddress(STYLE2, newProps, NTCP2_OUTBOUND_COST);
+            } else {
+                newAddr = null;
+            }
             changed = true;
         }