New VPN tunnels are not being established with the peers
||R75 (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL)
|Platform / Model
New VPN tunnels are not being established with peers.
Traffic is not passing over multiple VPN tunnels.
Problematic VPN tunnels are displayed as "Down" in SmartView Monitor.
Debug of VPND daemon (per sk89940) shows that it fails to add the entry for new IKE SA:
;make_ike2esp_queues: ERROR: Failed to add ike2ipsec entry for IKE SA <0x...,0x...>;
;ike_esp_add_by_fields: ERROR: Failed to create new ike2esp record;
;store_inbound_spi_in_table: ERROR: Failed to add SPI 0x... to inbound queue of its IKE SA;
;store_spi_in_table_ex: failed to store inbound esp SA;
Flow of events:
- IKE MM negotiation succeeds on Check Point Security Gateway - the peer's IKE SA is saved in the kernel table IKE_SA_table
- QM1 packet never arrives
- Check Point Security Gateway never deletes the SA
- The peer starts IKE MM negotiation again, which ends with Check Point Security Gateway saving yet another IKE SA for this peer
- Eventually this causes overflow in the kernel table IKE_SA_table, and all the other kernel tables related to it (the redundant IKE SA would be deleted only when the SA expires)
Note: To view this solution you need to