topic Re: Site to site VPN issue - Packet is dropped because there is no valid SA in SASE and Remote Access

Site to site VPN issue - Packet is dropped because there is no valid SA

MichaelBurnham — Thu, 18 Mar 2021 11:35:46 GMT

Hello everyone,

I have a site to site VPN ( Checkpoint to checkpoint, IKEv2 only). A few days ago, everything was working fine. but since yesterday, traffic is ok in one way, and it's dropped by the firewall for the other way, with the error message below:

Enryption Fail Reason: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

I've checked the configuration, everything looks fine. The fact that is work one day and stopped working the next can't be a config issue..I think..

Does anyone have any idea what might be the root cause ?

Thank you,

Re: Site to site VPN issue - Packet is dropped because there is no valid SA

Timothy_Hall — Thu, 18 Mar 2021 16:10:03 GMT

Insufficient information. That error message is a symptom of your problem (interesting traffic could not be encrypted and forwarded because no VPN tunnel is present), not the actual cause. You should have some other error messages that will be more helpful such as "no proposal chosen", "no response from peer", "Invalid ID", "Received a Cleartext Packet within an Encrypted Connection", "Packet was Decrypted, but Policy Says Packet Should not have been decrypted", etc.

Re: Site to site VPN issue - Packet is dropped because there is no valid SA

the_rock — Thu, 18 Mar 2021 16:19:44 GMT

Tim is right, very generic error...did you try run ike debug? Also, there is a setting in global properties to "keep ike SAs", check that and push policy. Is under menu -> global properties -> advanced -> configuration -> VPN I believe

Andy

Re: Site to site VPN issue - Packet is dropped because there is no valid SA

MichaelBurnham — Thu, 18 Mar 2021 19:51:59 GMT

@Timothy_Hall and @the_rock Thank you for your reply.

I have checked and there is no other error message. The enryption is working again and nothing has been changed to make it work. I will check further tomorrow and see if there is anything unsual.

@the_rock The option "Keep IKE SAs" is already enabled.

Re: Site to site VPN issue - Packet is dropped because there is no valid SA

the_rock — Thu, 18 Mar 2021 20:22:36 GMT

Ok, sounds good...maybe also make sure to check "keep all connections" under connection persistence under gateway properties (somewhere on the left menu at the bottom). Honestly, dont ask me why this is relevant, but I had seen it help with VPN tunnels many times.

Andy

Re: Site to site VPN issue - Packet is dropped because there is no valid SA

Bob_Zimmerman — Thu, 18 Mar 2021 22:00:52 GMT

As Andy advised, you should definitely enable IKE debugging. You can do so with this command on the firewall:

vpn debug ikeon

If you are using a cluster, you should enable it on both members. If you control both sides of the VPN, you should enable it on both sides. You then need to wait until you get a successful negotiation and start seeing the problem again. "Packet is dropped because there is no valid SA" always means the traffic was flagged as interesting for a particular VPN community and was held while the keys were negotiated, but the key negotiation failed. To figure out what's wrong from an IKE debug, you want a successful negotiation and a failing negotiation. The difference between them is the most certain way to figure out what's wrong.