hi danny, i'm not sure but i think that vpn tu del PEER_IP is a "shortcut" to the option 5 on vpn tu... and option 5 is a "lighter" version of option 7 (it preserve IKE SA)....so it should not help

anyway, I THINK that any attempt to delete the SA it will fail because in such cases, there is "NO outbound SA" and here  we are trying to delete an MSA/MSPI, that is something different:

• MSA - "Meta SA".

  • Contains:
    
    • Methods
    • Encapsulation scheme (ESP, AH, UDP)
    • Encryption algorithm
    • Data integrity algorithm
    • Peer identity
    • Peer address
    • User name (for Remote Access client)
    • Intended use (IPsec IDs)
    • Access to Current usable SA (outbound only)
  • MSA is bi-directional.
  • Inbound SAs point to the MSA.
  • The MSA points to an outbound SA.
  • When SAs are rekeyed and replaced, the MSA is not. It is just updated.
  • An encrypted connection is marked with an MSPI (handle for the MSA).

MSPI - "Meta SPI" = peer + methods + IDs.

• MSPI is not a standard concept and exists only in Check Point VPN kernel.
• MSPI is actually a tunnel identifier. It is a local counter that uniquely identifies a tunnel on the given machine.
  In cluster topology it needs to be translated from the MSPI of peer cluster member to the local MSPI.
• MSPI is an index to the MSA (Meta SA), which contains fields common to all SAs with the same peer, methods, IDs, where:
  
  • Peer - peer gateway IP address
  • Methods - per rule (community) parameters
  • IDs - client/server or their containing subnets
• When a new IPsec tunnel is established, a new MSPI is created by, it get the next free MSPI number, and the MSPI counter is increased.
• When an IPsec tunnel is closed, the MSPI counter is decreased.

that is probably the root cause of the trafffic problem, but, coming back to the thread question, this is why any attempt to delete that entry will fail with any "delete SA" command.... of course these are only my assumptions, need a vpn king here to be sure 🙂 

Hello Phoneboy,

Don't you think there should be an easier way to do this?
Having traffic outages after deleting all related VPN configuration because the CP firewall still has some entries in some tables that you need to dig deep and if lucky you may find it(probably not).. 

CP needs to understand that customers are getting less and less tolerant to this kind of quirks..

100% agree

Not only customers, administrators like us too...

It's possible this particular issue is not known or not encountered often enough.
However, I tend to think vpn tu should either offer an option for this or do it as part of one of the existing options.
I'll ask around. 

I believe the correct table to find this in (per https://support.checkpoint.com/results/sk/sk104760) is called meta_sas.
You can use fw tab -x to delete the relevant entry in the connections table.
Other tables are also listed there. 

When I asked about this problem previously, I was told that this issue needs to be handled via the TAC.
It is likely some sort of bug that is causing this.

I'd suspect that the withdrawal of IKE negotiation duties from vpnd and re-implementation of that into the new iked daemon in R81.10+ may have something to do with these problems, and this transition may have broken something in how vpn tu interacts with it.  Something perhaps for R&D to look into.  @CheckPointerXL I assume you are running at least R81.10 and iked is running on your gateway?

correct, it seems that compulsively doing vpn tu->optin 7-ip peer it works.... maybe it's a case, but it worked last two times (only for Phase2)