Support Center > Search Results > SecureKnowledge Details
VPN tunnels are established successfully although traffic is dropped with "No valid SA"
Symptoms
  • VPN traffic is dropped with "No valid SA" for random VPN tunnels.
  • SmartView Tracker shows "Main Mode completion" for the relevant problematic VPN tunnels.
  • VPN debug per sk89940 shows the following messages in vpnd.elg:
    [ PID][DATE TIME][] find_sa_by_ike_peer: vpnioctl VPN_GET_IKE_SA_BY_IKE_PEER failed
    [ PID][DATE TIME][] TalkToEngine: Engine RC is <Â <Â  FWIKE_ERROR Â >Â >
    [ PID][DATE TIME][] TalkToEngine: received Error reply from Engine
    
  • The fw tab -s | grep ike command on the Security gateway shows:
    localhost ike2esp 459 10200 10200 0
    localhost ike2peer 461 10200 10200 0
  • The problematic Gateway has at least one VPN-tunnel with 3rd-party peer and IKEv2 configured. This tunnel establishment fails, and reestablishment attempts appear permanently.
  • Clearing the kernel tables by running the fw tab -t ike2esp -x -y and fw tab -t ike2peer -x -y commands temporarily resolves the issue.
Cause

That specific VPN tunnel with IKEv2 and third-party Gateway is not established in the QM phase, but a cookie of MM is written in the kernel table at every attempt. In IKEv1, a cookie of MM is deleted from the kernel tables after 2 minutes if no QM on it was established. The IKEv2 MM cookie is not deleted from the kernel tables, and the tables become full.

New VPN tunnels on IKEv1 (possibly not related to the IKEv2 tunnel) are established, but the table is full, and the MM cookie is not written to memory.


Solution
Note: To view this solution you need to Sign In .