VPN tunnel connection is dropped with "no MSA for MSPI" error

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk167393
Technical Level
Product	IPSec VPN
Version	R80.10 (EOL), R80.20, R80.30, R80.40
OS	Gaia
Platform / Model	Intel/PC
Date Created	21-Jun-2020
Last Modified	30-Nov-2020

Symptoms

VPN tunnel connection is dropped with "no MSA for MSPI" error.
'fw ctl zdebug drop' debug shows drops with following type of errors:
;[cpu_1];[fw4_5];fw_log_drop_ex: Packet proto=89 10.210.0.20:513 -> 224.0.0.5:44 dropped by vpn_encrypt_chain Reason: encryption failure: no MSA for MSPI;
;[cpu_1];[fw4_5];fw_log_drop_ex: Packet proto=89 10.210.0.20:513 -> 224.0.0.5:48 dropped by vpn_drop_and_log Reason: Encryption/Decryption failure, failed to switch tunnels after policy reload (VPN Error code 01);
vpn kernel debug shows: get_msa_by_mspi: Could not find MSA 1001c14 (i: 2) in meta_sas table. rc=-1, ret=-1; cphwd_crypt_traffic_report: WARNING: received bad MSPI 1001c14 (i: 2);

Cause

Background: MSPI is a tunnel identifier. It is a local counter that uniquely identifies a tunnel on the given machine. MSPI is an index to the MSA (Meta SA), which contains fields common to all SAs with the same peer, methods, and IDs. When a new IPsec tunnel is established, a new MSPI is created by it, and it gets the next free MSPI number. The MSPI counter is then increased. When an IPsec tunnel is closed, the MSPI counter is decreased.
Wrong update of MSPI reference count.

Solution

Note: To view this solution you need to Sign In .