Site-to-Site VPN fails between Check Point Security Gateway and Check Point Virtual Appliance for Amazon Web Services (AWS)

SUPPORT CENTER
USER CENTER / PARTNER MAP
CYBER TALK FOR EXECUTIVES
THREAT INTELLIGENCE
UNDER ATTACK?
- We can help. Learn more about ThreatCloud Incident Response
RISK ASSESSMENT
MY ACCOUNT
- Phone
  
  General
  United States 1-800-429-4391
  International +972-3-753-4555
  
  Support
  24x7 Technical Support
  Americas: 1-972-444-6600
  International: +972-3-6115100
  Toll Free: 1-888-361-5030
- Locations
  
  United States
  Check Point Software Technologies Inc.
  959 Skyway Road
  Suite 300
  San Carlos, CA 94070
  MAP
  
  International
  Check Point Software Technologies Ltd.
  5 Ha'Solelim Street
  Tel Aviv 67897, Israel
  MAP
- Community
  CheckMates User Community
  Blog
- Chinese
- Japanese
- Russian

Support Center > Search Results > SecureKnowledge Details

Symptoms

Site-to-Site VPN fails between Check Point Security Gateway and Check Point Virtual Appliance for Amazon Web Services (AWS).
Traffic capture shows:
1. Tunnel is initiated from Check Point Security Gateway to Check Point Virtual Appliance for AWS
2. The IKEv1 Quick Mode is completed
3. Immediately, Check Point Virtual Appliance for AWS sends a "Delete" message
Output of "fw tab -t TABLE_NAME -s" command on Check Point Virtual Appliance for AWS shows that the relevant kernel tables are not full:
- ike2esp
- vpn_queues
- peer2ike
- ike2peer
- ikev2_sas
Kernel debug ('fw ctl debug -m VPN + warn mspi') on Check Point Virtual Appliance for AWS repeatedly shows:
;store_outbound_spi_in_msa: allocating esp sa in meta sa of mspi = ...; ;store_outbound_spi_in_msa: re-aligning processed key; ;store_outbound_spi_in_msa: ERROR: could not get kbuf; ;store_spi_in_table_ex: failed to store outbound esp SA;

Solution

Note: To view this solution you need to Sign In .

THREAT INTELLIGENCE