https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93788#M18582 <P>Those messages indicate that the Check Point expired or otherwise removed an existing IPSec VPN tunnel, yet the AWS side still thinks it is up and is sending traffic which the Check Point cannot decrypt because the tunnel no longer exists.</P> <P>I assume you have already seen this SK, as AWS will only allow 2 SPIs:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk113561&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk113561: <STRONG>VPN</STRONG> Tunnel to Amazon Web Services (<STRONG>AWS</STRONG>) is unstable</A></P> <P>Assuming it is not that, make sure the Phase 1 and Phase 2 SA Lifetimes match *exactly* between the configuration on both sides.</P> Mon, 10 Aug 2020 18:16:56 GMT Timothy_Hall 2020-08-10T18:16:56Z https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93763#M18578 <P><SPAN>I have several VPNs against AWS, it happens that at random the traffic falls and come back again .sometimes I have to install policy to make come back again&nbsp;</SPAN></P><P><SPAN>it was with 5900 and 80.10 , and now again with a new 6700 and 80.40&nbsp;</SPAN></P><P><SPAN>what&nbsp; I see in the logs:</SPAN></P><P><SPAN>IKE_NAT_TRAVERSAL Traffic Dropped from aws to cp</SPAN></P><P><SPAN>"Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found"</SPAN></P><P><SPAN>and:</SPAN></P><P><SPAN>"Unknown SPI: 0x8799740b for UDP encapsulated IPsec packet"</SPAN></P><P>&nbsp;</P><P><SPAN>any idea? cp tech are trying to resolve it for a long time</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 10 Aug 2020 13:30:21 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93763#M18578 kobi_rudy 2020-08-10T13:30:21Z https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93788#M18582 <P>Those messages indicate that the Check Point expired or otherwise removed an existing IPSec VPN tunnel, yet the AWS side still thinks it is up and is sending traffic which the Check Point cannot decrypt because the tunnel no longer exists.</P> <P>I assume you have already seen this SK, as AWS will only allow 2 SPIs:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk113561&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk113561: <STRONG>VPN</STRONG> Tunnel to Amazon Web Services (<STRONG>AWS</STRONG>) is unstable</A></P> <P>Assuming it is not that, make sure the Phase 1 and Phase 2 SA Lifetimes match *exactly* between the configuration on both sides.</P> Mon, 10 Aug 2020 18:16:56 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93788#M18582 Timothy_Hall 2020-08-10T18:16:56Z https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93790#M18583 <P>We had a similar issue with Amazon AWS; it was fixed by setting the CheckPoint gateway to respond to DPD packets.&nbsp;</P><P>Check for "<EM>DPD responder mode</EM>" in <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec#Scenario%205" target="_blank" rel="noopener">sk108600</A>.&nbsp; You have to turn it on via a&nbsp;<EM><STRONG>ckp_regedit</STRONG></EM> on each gateway of the checkpoint cluster.</P><P>&nbsp;</P> Mon, 10 Aug 2020 18:58:29 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/93790#M18583 Dale_Lobb 2020-08-10T18:58:29Z https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/94006#M18620 <P>when you change to "dpd responder mode" do you have to cpstop, cpstart ? did you leave the MTU on 1500 or it changed too?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 13 Aug 2020 10:15:53 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/94006#M18620 kobi_rudy 2020-08-13T10:15:53Z https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/94229#M18655 <P>cp tech said it wont help since we see on the debug files that we are getting "DPD Hello " from amazon, and cp answers "DPD Ack" but some times we don't get the "DPD Hello" from amazon and than the vpn get a reset&nbsp; . amazon checked and say they are sending it- so its a mystery why cp does'nt get it ...</P> Sun, 16 Aug 2020 05:07:17 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/94229#M18655 kobi_rudy 2020-08-16T05:07:17Z https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/131945#M23886 <P>Hello, kobi.</P><P>Have you ever solved s2s vpn between AWS and CP?</P><P>I wonder.</P><P>&nbsp;</P><P>&nbsp;thank you.</P> Mon, 18 Oct 2021 09:08:34 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-VPN-AMAZON-AWS-CHECK-POINT/m-p/131945#M23886 Jung_Patrick 2021-10-18T09:08:34Z