Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"
The Error message indicates a failure in the IPSec Security Association negotiations process: specifically a function timeout occurred. The two most common causes of function timeouts are:
- A packet needs to be encrypted, but a new IPSec SA needed for its encryption could not be created.
- A packet needs to be decrypted, but the IPSec SA matching the SPI on the packet does not exist.
During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security Associations (SAs) with the VPN partner site. If negotiations fail and the exchange does not complete, the VPN daemon has no IPSec SAs to send to the VPN kernel. When VPN kernel waiting for IPsec SA expires (usually 60 seconds) this error message is sent.
The message indicates the SA's expired, but does not indicate the root cause of the problem. Other SmartView Tracker messages, before or after the "sk19423 Error", provides more information about the issue.