This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MichaelBurnham
Explorer
‎2021-03-18 04:35 AM

Site to site VPN issue - Packet is dropped because there is no valid SA

Hello everyone,

I have a site to site VPN ( Checkpoint to checkpoint, IKEv2 only). A few days ago, everything was working fine. but since yesterday, traffic is ok in one way, and it's dropped by the firewall for the other way, with the error message below:

Enryption Fail Reason: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

 

I've checked the configuration, everything looks fine. The fact that is work one day and stopped working the next can't be a config issue..I think..

Does anyone have any idea what might be the root cause ?

 

Thank you,

 

 

 

0 Kudos
5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2021-03-18 09:09 AM

Insufficient information.  That error message is a symptom of your problem (interesting traffic could not be encrypted and forwarded because no VPN tunnel is present), not the actual cause.  You should have some other error messages that will be more helpful such as "no proposal chosen", "no response from peer", "Invalid ID", "Received a Cleartext Packet within an Encrypted Connection", "Packet was Decrypted, but Policy Says Packet Should not have been decrypted", etc.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
MichaelBurnham
Explorer
‎2021-03-18 12:51 PM
In response to Timothy_Hall

@Timothy_Hall  and @the_rock Thank you for your reply.

I have checked and there is no other error message. The enryption is working again and nothing has been changed to make it work. I will check further tomorrow and see if there is anything unsual.

@the_rock The option "Keep IKE SAs" is already enabled.

the_rock
MVP Platinum
MVP Platinum
‎2021-03-18 01:22 PM
In response to MichaelBurnham

Ok, sounds good...maybe also make sure to check "keep all connections" under connection persistence under gateway properties (somewhere on the left menu at the bottom). Honestly, dont ask me why this is relevant, but I had seen it help with VPN tunnels many times.

 

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-03-18 03:00 PM
In response to MichaelBurnham

As Andy advised, you should definitely enable IKE debugging. You can do so with this command on the firewall:

vpn debug ikeon

If you are using a cluster, you should enable it on both members. If you control both sides of the VPN, you should enable it on both sides. You then need to wait until you get a successful negotiation and start seeing the problem again. "Packet is dropped because there is no valid SA" always means the traffic was flagged as interesting for a particular VPN community and was held while the keys were negotiated, but the key negotiation failed. To figure out what's wrong from an IKE debug, you want a successful negotiation and a failing negotiation. The difference between them is the most certain way to figure out what's wrong.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-03-18 09:19 AM

Tim is right, very generic error...did you try run ike debug? Also, there is a setting in global properties to "keep ike SAs", check that and push policy. Is under menu -> global properties -> advanced -> configuration -> VPN I believe

 

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events