Question : Checkpoint VPN Site to Site Issue - encryption failure: Unknown SPI: 0xb41565ee for IPsec packet.


Setting up Site to Site conection with our clients. I am using Checkpoint R60 connecting to ASA Cisco Concentrators. We are able to establish connection with Phase 1 and Phase 2. Connection works find for 1 hr before end user get disconnected. I am getting the following error message on my checkpoint firewall. I get this error message when end user  tries to use app that has been open for more than an hour, see below.  Phase 1 lifetime (1440 minutes) and phase 2 lifetime (28800 second) on both end points. End-User reconnect and work fine for an hour. Logs show keys are renegotiated. Has anyone see this before.

Error message 1

Product:                         VPN-1 Pro/Express
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            walll001 (xxx.xxx.xxx.xxx)
Type:                              Log
Action:                            Drop
Source:                          NS_VPN (bbb.bbb.bbb.bbb)
Protocol:                        ip
Rule:                              0 - Implied Rules
Encryption Scheme:      IKE
VPN Peer Gateway:       NS_VPN (bbb.bbb.bbb.bbb)
Subproduct:                   VPN
Information:                   encryption failure: Unknown SPI: 0xb41565ee for IPsec packet.

Error Message 2

Product:                                 VPN-1 Pro/Express
VPN Feature:                          IKE
Interface:                                daemon
Origin:                                    walll001 (xxx.xxx.xxx.xxx)
Type:                                      Alert
Action:                                    Key Install
Source:                                  wall001 (xxx.xxx.xxx.xxx)
Destination:                           NS_VPN (bbb.bbb.bbb.bbb)
Encryption Scheme:              IKE
VPN Peer Gateway:               NS_VPN (bbb.bbb.bbb.bbb)
IKE Initiator Cookie:               bfab4c7a35a422df
IKE Responder Cookie:         216230de42298d33
IKE Phase2 Message ID:      9d2f54ac
Subproduct:                           VPN
Information:                           IKE: Informational Exchange Sent Delete IPSEC-SA to Peer: bbb.bbb.bbb.bbb
                                               SPI: 23aae1a2

Answer : Checkpoint VPN Site to Site Issue - encryption failure: Unknown SPI: 0xb41565ee for IPsec packet.

Do you get issues with any other VPNs, ie VNs to CP firewalls?  Is it only Cisco that you have probs with?

This smacks of differing negotiation timers and mismatch of renegs.

Dooglave is right about the VPN debugs, I was only really looking for any type of phase 2 negs, dont care which side it was, just to see what was set on the initiator side for the phase 2 timer.  fw monitor is a bit overkill for a place like this hehe.

Random Solutions  
 
programming4us programming4us