We're having issued with a Google Cloud VPN tunnel and managed to see an increase in inbound and outbound SPI when it happens.
To counter the problem we've scripted a IPSEC SA reset every day at 03:00. So far we've had no VPN issues after the scripted reset.
But what I noticed is that the number of inSPI_to_instance increases dramatically 30-45 minutes after each reset.
For some reason the inSPI value for today is a fraction of what it has been earlier this week. No idea why.
The values for the graph is collected from the values you get when running:
vsenv X
fw tab -s | grep -i SPI
Can someone shed some light as to what inSPI_to_instance is used for and maybe why this delayed sudden increase after the reset?
Before setting up the automated job I tested the script manually during work hours and did not encounter the same increase.
The only thing the script does is to log on to the node running the VPN gateway, change VS environment and delete IPSEC SA for the specified Google Cloud gateway (x.x.x.x)
vsenv X vpn tu del ipsec x.x.x.x
| User | Count |
|---|---|
| 11 | |
| 8 | |
| 7 | |
| 7 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 |
Thu 08 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 1: How AI is Reshaping Our WorldFri 09 Jan 2026 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 42: Looking back & forwardThu 22 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 2: Hacking with AI: The Dark Side of InnovationThu 12 Feb 2026 @ 05:00 PM (CET)
AI Security Masters Session 3: Exposing AI Vulnerabilities: CP<R> Latest Security FindingsThu 08 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 1: How AI is Reshaping Our WorldFri 09 Jan 2026 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 42: Looking back & forwardThu 22 Jan 2026 @ 05:00 PM (CET)
AI Security Masters Session 2: Hacking with AI: The Dark Side of InnovationThu 26 Feb 2026 @ 05:00 PM (CET)
AI Security Masters Session 4: Powering Prevention: The AI Driving Check Point’s ThreatCloud
