Support Center > Search Results > SecureKnowledge Details
After ISP failover on LSV (Large Scale VPN) peer, gateway keeps using the old MSPI Technical Level
  • When the LSV peer experiences the interface failover, it will eventually re-negotiate IKE Main Mode with peer Gateway.
    After the IKE negotiation completed, new connection passes through the tunnel, but old connections are still sent to the old IP address of the LSV peer.

  • Kernel debug shows the drops:
       [-- request_ipsec_sa: Renew (outbound) SA --];
    [DATE TIME]...;add_to_MSPI_requests_table_ex: Entering keyid 0;
    [DATE TIME]...;add_to_MSPI_requests_table_ex: Already have this connection;
    [DATE TIME]...;request_ipsec_sa: Trap is on the way. not trapping;
    [DATE TIME]...;VPN-1: vpn_encrypt_chain: encryption failure, dropping packet;
    [DATE TIME]...;fw_log_drop_ex: Packet proto=1 192.x.x.x:0 -> 10.x.x.x:16397 dropped by vpn_encrypt_chain Reason: No error;
Note: To view this solution you need to Sign In .