topic Re: VPN drops - decrypt mspi is not valid in Firewall and Security Management

VPN drops - decrypt mspi is not valid

biskit — Thu, 27 Jul 2023 08:39:44 GMT

I have a site-to-site VPN from CP to AWS. It has been working fine, then suddenly it stopped working. No changes have been made.

The tunnel itself is up.

I initiate traffic from my LAN to AWS. I'm seeing return traffic dropping as it comes back from AWS. Zdebug shows the following:

Line 10860: @;667035602;[cpu_0];[SIM-241633670];vpn_verify: mspi check failed (cdir=1; conn_mspis:000004e4,00000000; packet_mspi:003ba7df), c2s conn: <10.16.173.13,62106,10.51.25.146,1521,6>; Line 10861: @;667035603;[cpu_0];[SIM-241633670];do_inbound: VPN verify returned DROP -> dropping packet, conn: <10.51.25.146,1521,10.16.173.13,62106,6>; Line 10862: @;667035603;[cpu_0];[SIM-241633670];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.51.25.146,1521,10.16.173.13,62106,6>; Line 10863: @;667035603;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.51.25.146:1521 -> 10.16.173.13:62106 dropped by vpn_dec_verify_mspi_failure_sxl_notification_handler Reason: decrypt mspi is not valid;

I can't see much in SecureKnowledge on this error. Has anyone come across this before? Any ideas on why it's suddenly started happening? I've dropped the tunnel (in "vpn tu") and it comes straight back up fine, but still drops return traffic.

Re: VPN drops - decrypt mspi is not valid

G_W_Albrecht — Thu, 27 Jul 2023 10:35:09 GMT

I would suggest that you contact CP TAC to get this resolved asap !

Re: VPN drops - decrypt mspi is not valid

biskit — Thu, 27 Jul 2023 10:38:17 GMT

Yeah I already have. Their suggestions aren't especially useful at the moment so I thought I'd throw it out to the wider community just in case 😀. I'll carry on with TAC.

Re: VPN drops - decrypt mspi is not valid

biskit — Thu, 27 Jul 2023 12:33:56 GMT

We've deleted the AWS VPN config and recreated it from scratch. Updated the new AWS peer IP's in Check Point and the VPN is back up and working again. Still not sure what was causing the errors but recreating was quicker than debugging!

Re: VPN drops - decrypt mspi is not valid

the_rock — Thu, 27 Jul 2023 18:54:24 GMT

I know what you mean...I found myself doing simlar with different issues, rather than waiting on TAC, simply due to urgency of the matter.

Andy

Re: VPN drops - decrypt mspi is not valid

StackCap43382 — Thu, 02 Oct 2025 10:27:13 GMT

In case anyone else searches this error.

Same symptoms for UDP traffic passing over VPN being silently dropped on arrival after decrypt but zdebug:

@;1531076470.3303760;[vs_0];[tid_40];[fw4_40];fw_log_drop_ex: Packet proto=SRC:6440 -> DST:6440 dropped by vpn_dec_verify_mspi_failure_sxl_notification_handler Reason: decrypt mspi is not valid;

Same SRC and DST using different ports worked so was not a VPN issue.

Matching Connections flushed from table and connectivity restored.

Re: VPN drops - decrypt mspi is not valid

the_rock — Thu, 02 Oct 2025 10:48:31 GMT

Excellent!