Support Center > Search Results > SecureKnowledge Details
After ISP failover on LSV peer, gateway keeps using the old MSPI
Symptoms
  • When the LSV peer experiences the interface failover, it will eventually re-negotiate IKE MM with R77.30 gateway.
    After the IKE negotiation completed, new connection passes through the tunnel, but old connections are still sent to the old IP address of the LSV peer.

  • Kernel debug shows the drops:
       [-- request_ipsec_sa: Renew (outbound) SA --];
    [DATE TIME]...;add_to_MSPI_requests_table_ex: Entering keyid 0;
    [DATE TIME]...;add_to_MSPI_requests_table_ex: Already have this connection;
    [DATE TIME]...;request_ipsec_sa: Trap is on the way. not trapping;
    [DATE TIME]...;VPN-1: vpn_encrypt_chain: encryption failure, dropping packet;
    [DATE TIME]...;fw_log_drop_ex: Packet proto=1 192.x.x.x:0 -> 10.x.x.x:16397 dropped by vpn_encrypt_chain Reason: No error;
    
Solution
Note: To view this solution you need to Sign In .