This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pavel88
Explorer
‎2020-09-02 11:23 AM
Jump to solution

#fw ctl zdebug drop, strange log

Hi all,

Hi to all, anyone familiar with this drop (fw ctl zdebug + drop)

When I ping thru VPN s2s I get latency on the traffic (around 360ms on each ping)

On #fw ctl zdebug + drop is see this drop continually.
;[cpu_1];[fw4_0];update_narrowed_mspi_on_enc_opaque: Connection <dir 1, 192.168.1.1:2 -> 172.16.20.10:0 IPP 1> does not have an opaque;

anyone is familiar with this?

Thank you.

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
‎2020-09-02 11:44 AM
Jump to solution

Hi @Pavel88,

MSPI is a tunnel identifier. It is a local counter that uniquely identifies a tunnel on the given machine. MSPI is an index to the MSA (Meta SA), which contains fields common to all SAs with the same peer, methods, and IDs. When a new IPsec tunnel is established, a new MSPI is created by it, and it gets the next free MSPI number. The MSPI counter is then increased.

I think there is something incorrect with the MSPI update in the encryption process.

I would open a TAC case.


➜ CCSM Elite, CCME, CCTE

View solution in original post

2 Replies
HeikoAnkenbrand
Champion
Champion
‎2020-09-02 11:44 AM
Jump to solution

Hi @Pavel88,

MSPI is a tunnel identifier. It is a local counter that uniquely identifies a tunnel on the given machine. MSPI is an index to the MSA (Meta SA), which contains fields common to all SAs with the same peer, methods, and IDs. When a new IPsec tunnel is established, a new MSPI is created by it, and it gets the next free MSPI number. The MSPI counter is then increased.

I think there is something incorrect with the MSPI update in the encryption process.

I would open a TAC case.


➜ CCSM Elite, CCME, CCTE
_Val_
Admin
Admin
‎2020-09-02 11:33 PM
Jump to solution

Open a TAC case, this is a clear support issue

0 Kudos