Support Center > Search Results > SecureKnowledge Details
VPN tunnel connection is dropped with "no MSA for MSPI" error Technical Level
Symptoms
  • VPN tunnel connection is dropped with "no MSA for MSPI" error.
  • 'fw ctl zdebug drop' debug shows drops with following type of errors:
    ;[cpu_1];[fw4_5];fw_log_drop_ex: Packet proto=89 10.210.0.20:513 -> 224.0.0.5:44 dropped by vpn_encrypt_chain Reason: encryption failure: no MSA for MSPI;
    ;[cpu_1];[fw4_5];fw_log_drop_ex: Packet proto=89 10.210.0.20:513 -> 224.0.0.5:48 dropped by vpn_drop_and_log Reason: Encryption/Decryption failure, failed to switch tunnels after policy reload (VPN Error code 01);
  • vpn kernel debug shows: get_msa_by_mspi: Could not find MSA 1001c14 (i: 2) in meta_sas table. rc=-1, ret=-1; cphwd_crypt_traffic_report: WARNING: received bad MSPI 1001c14 (i: 2);
Cause
Background: MSPI is a tunnel identifier. It is a local counter that uniquely identifies a tunnel on the given machine. MSPI is an index to the MSA (Meta SA), which contains fields common to all SAs with the same peer, methods, and IDs. When a new IPsec tunnel is established, a new MSPI is created by it, and it gets the next free MSPI number. The MSPI counter is then increased. When an IPsec tunnel is closed, the MSPI counter is decreased.
Wrong update of MSPI reference count.


Solution
Note: To view this solution you need to Sign In .