Support Center > Search Results > SecureKnowledge Details
During IKEv2 Initial Phase re-negotiation initiated by Check Point Security Gateway to 3rd party peer, "Invalid IKE SPI" error is presented Technical Level
Symptoms
  • During IKEv2 Initial Phase re-negotiation initiated by Check Point Security Gateway to 3rd party peer, "Invalid IKE SPI" error is presented.
  • The Check Point Security Gateway sends 'Invalid IKE SPI' notify payload.
  • Resetting the tunnel using VPN TU resolves the problem temporarily until the next phase 2 re-key.
Cause

At each renegotiation, Check Point gateway deletes the old IKE SA. While rekeying, packets with the old SPI are sent from a third party gateway to the Check Point gateway. Although the Check Point gateway receives those packets, it no longer has a valid SPI for them, and it sends the 'Invalid IKE SPI' notify payload.


Solution
Note: To view this solution you need to Sign In .