This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
Advisor
‎2023-07-27 01:39 AM
Jump to solution

VPN drops - decrypt mspi is not valid

I have a site-to-site VPN from CP to AWS.  It has been working fine, then suddenly it stopped working.  No changes have been made.

The tunnel itself is up.

I initiate traffic from my LAN to AWS.  I'm seeing return traffic dropping as it comes back from AWS.  Zdebug shows the following:

 

Line 10860: @;667035602;[cpu_0];[SIM-241633670];vpn_verify: mspi check failed (cdir=1; conn_mspis:000004e4,00000000; packet_mspi:003ba7df), c2s conn: <10.16.173.13,62106,10.51.25.146,1521,6>;
Line 10861: @;667035603;[cpu_0];[SIM-241633670];do_inbound: VPN verify returned DROP -> dropping packet, conn: <10.51.25.146,1521,10.16.173.13,62106,6>;
Line 10862: @;667035603;[cpu_0];[SIM-241633670];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.51.25.146,1521,10.16.173.13,62106,6>;
Line 10863: @;667035603;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.51.25.146:1521 -> 10.16.173.13:62106 dropped by vpn_dec_verify_mspi_failure_sxl_notification_handler Reason: decrypt mspi is not valid;

 

I can't see much in SecureKnowledge on this error.  Has anyone come across this before?  Any ideas on why it's suddenly started happening?  I've dropped the tunnel (in "vpn tu") and it comes straight back up fine, but still drops return traffic.

0 Kudos
2 Solutions

Accepted Solutions
biskit
Advisor
Advisor
‎2023-07-27 05:33 AM
Jump to solution

We've deleted the AWS VPN config and recreated it from scratch.  Updated the new AWS peer IP's in Check Point and the VPN is back up and working again.  Still not sure what was causing the errors but recreating was quicker than debugging!

View solution in original post

(1)
StackCap43382
Collaborator
Collaborator
‎2025-10-02 03:27 AM
In response to biskit
Jump to solution

In case anyone else searches this error.

Same symptoms for UDP traffic passing over VPN being silently dropped on arrival after decrypt but zdebug:

@;1531076470.3303760;[vs_0];[tid_40];[fw4_40];fw_log_drop_ex: Packet proto=SRC:6440 -> DST:6440 dropped by vpn_dec_verify_mspi_failure_sxl_notification_handler Reason: decrypt mspi is not valid;

Same SRC and DST using different ports worked so was not a VPN issue.

Matching Connections flushed from table and connectivity restored.

 

 

CCSME, CCTE, CCME, CCVS

View solution in original post

(1)
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-07-27 03:35 AM
Jump to solution

I would suggest that you contact CP TAC to get this resolved asap !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
biskit
Advisor
Advisor
‎2023-07-27 03:38 AM
In response to G_W_Albrecht
Jump to solution

Yeah I already have.  Their suggestions aren't especially useful at the moment so I thought I'd throw it out to the wider community just in case 😀.  I'll carry on with TAC.

(1)
biskit
Advisor
Advisor
‎2023-07-27 05:33 AM
Jump to solution

We've deleted the AWS VPN config and recreated it from scratch.  Updated the new AWS peer IP's in Check Point and the VPN is back up and working again.  Still not sure what was causing the errors but recreating was quicker than debugging!

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-07-27 11:54 AM
In response to biskit
Jump to solution

I know what you mean...I found myself doing simlar with different issues, rather than waiting on TAC, simply due to urgency of the matter.

Andy

Best,
Andy
StackCap43382
Collaborator
Collaborator
‎2025-10-02 03:27 AM
In response to biskit
Jump to solution

In case anyone else searches this error.

Same symptoms for UDP traffic passing over VPN being silently dropped on arrival after decrypt but zdebug:

@;1531076470.3303760;[vs_0];[tid_40];[fw4_40];fw_log_drop_ex: Packet proto=SRC:6440 -> DST:6440 dropped by vpn_dec_verify_mspi_failure_sxl_notification_handler Reason: decrypt mspi is not valid;

Same SRC and DST using different ports worked so was not a VPN issue.

Matching Connections flushed from table and connectivity restored.

 

 

CCSME, CCTE, CCME, CCVS
(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-10-02 03:48 AM
In response to StackCap43382
Jump to solution

Excellent!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events