Create a Post
Showing results for 
Search instead for 
Did you mean: 

[VPN] [AWS] Issue when rekeying the phase 1

Checkpoint version : R80.40.

Peer gateway : AWS


Hello all,

We have an issue with a tunnel VPN. The tunnel goes UP with no problem, the streams are encrypted and sent inside the tunnel. Until here, no problem.


But once the phase 1 expires, and it tries to rekey, the streams don't pass anymore in the tunnel, even if the tunnel is UP, and seems to be OK with the rekey (new SA and new SPI, shown with vpn tu).

We are obliged to reset the tunnel before the streams run again.


We have noticed that at every phase 1 rekeying, we drop packets from peer gateway because of "Unknown SPI: 0xXXXXXXXX for IPsec packet.".

We have this error message too on ESP packets : "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found".


We've activated the keep_ike_sa, changed the VPN tunnel parameters as recomended by AWS, changed the value of the DPD Timeout action in the peer gateway, but nothing has fixed the issue.


Hope to find the solution here.


Many thanks.

0 Kudos
2 Replies
Employee Employee


Please review sk108600 scenario 4 if not already.




Hi Chris, thank you for your fast answer.


After checking the value of ike_keep_child_sa_interop_devices, it is set to false.

Acording to the SK, changing the value to true may resolve the issue, but before applying the change, I want to know w hat impacts it can have on other stable vpn connections ? Is there a risk to do it ?


Many thanks.

Kind regards.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events