Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MichaelBurnham
Explorer

Site to site VPN issue - Packet is dropped because there is no valid SA

Hello everyone,

I have a site to site VPN ( Checkpoint to checkpoint, IKEv2 only). A few days ago, everything was working fine. but since yesterday, traffic is ok in one way, and it's dropped by the firewall for the other way, with the error message below:

Enryption Fail Reason: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

 

I've checked the configuration, everything looks fine. The fact that is work one day and stopped working the next can't be a config issue..I think..

Does anyone have any idea what might be the root cause ?

 

Thank you,

 

 

 

0 Kudos
5 Replies
Timothy_Hall
Champion
Champion

Insufficient information.  That error message is a symptom of your problem (interesting traffic could not be encrypted and forwarded because no VPN tunnel is present), not the actual cause.  You should have some other error messages that will be more helpful such as "no proposal chosen", "no response from peer", "Invalid ID", "Received a Cleartext Packet within an Encrypted Connection", "Packet was Decrypted, but Policy Says Packet Should not have been decrypted", etc.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
MichaelBurnham
Explorer

@Timothy_Hall  and @the_rock Thank you for your reply.

I have checked and there is no other error message. The enryption is working again and nothing has been changed to make it work. I will check further tomorrow and see if there is anything unsual.

@the_rock The option "Keep IKE SAs" is already enabled.

the_rock
Leader
Leader

Ok, sounds good...maybe also make sure to check "keep all connections" under connection persistence under gateway properties (somewhere on the left menu at the bottom). Honestly, dont ask me why this is relevant, but I had seen it help with VPN tunnels many times.

 

Andy

0 Kudos
Bob_Zimmerman
Advisor

As Andy advised, you should definitely enable IKE debugging. You can do so with this command on the firewall:

vpn debug ikeon

If you are using a cluster, you should enable it on both members. If you control both sides of the VPN, you should enable it on both sides. You then need to wait until you get a successful negotiation and start seeing the problem again. "Packet is dropped because there is no valid SA" always means the traffic was flagged as interesting for a particular VPN community and was held while the keys were negotiated, but the key negotiation failed. To figure out what's wrong from an IKE debug, you want a successful negotiation and a failing negotiation. The difference between them is the most certain way to figure out what's wrong.

0 Kudos
the_rock
Leader
Leader

Tim is right, very generic error...did you try run ike debug? Also, there is a setting in global properties to "keep ike SAs", check that and push policy. Is under menu -> global properties -> advanced -> configuration -> VPN I believe

 

Andy

0 Kudos