Support Center > Search Results > SecureKnowledge Details
Troubleshooting "No valid SA" error
Solution

"No valid SA"

The Error message indicates a failure in the IPSec Security Association negotiations process: specifically a function timeout occurred. The two most common causes of function timeouts are:

  • A packet needs to be encrypted, but a new IPSec SA needed for its encryption could not be created.
  • A packet needs to be decrypted, but the IPSec SA matching the SPI on the packet does not exist.

During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security Associations (SAs) with the VPN partner site. If negotiations fail and the exchange does not complete, the VPN daemon has no IPSec SAs to send to the firewall kernel. The firewall daemon expires the running VPN's state tables entries or does not start a new VPN, since it did not receive the updated IPSec SAs. The expiration triggers this error message.

The message indicates the SAs expired, but does not indicate the root cause of the problem. Other SmartView Tracker messages, before or after the "sk19423 Error", provide more information about the issue.

For a more comprehensive discussion, see sk19423: Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".

Various Scenarios

There are quite a number of scenarios, in which you may encounter the "No valid SA" error. The scenarios that we have encountered and dealt with are detailed below.

Scenario 1

Title: Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

Product: Security Gateway

OS: SecurePlatform

Symptoms:

  • Error in SmartView Tracker: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".

Summary: The message indicates the SAs expired, but does not indicate the root cause of the problem. Other SmartView Tracker messages, before or after the "sk19423 Error", provide more information about the issue. This article discusses troubleshooting encryption errors that spawn the sk19423 message in various configurations.

See sk19423: Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".


Scenario 2

Title: "No valid SA" logs in SmartView Tracker when creating IPsec VPN tunnel with an interoperable device.

Product: Security Gateway

OS: All

Symptoms:

  • "No valid SA" logs in SmartView Tracker when creating IPsec VPN tunnel with an interoperable device.

Summary: The nature of this problem is due to the ability of the Check Point Security Gateway to dynamically supernet subnets to reduce the amount of SA overhead normally generated by VPN traffic. Most third party vendors are inherently static and therefore do not have the ability to understand this dynamic behaviour. There are currently three possible solutions to this problem.

See Scenario 1 in sk108600 - VPN Site-to-Site with 3rd party.


Scenario 3

Title: Site-to-site VPN tunnel fails with various error messages

Product: Security Gateway

OS: SecurePlatform, Windows

Symptoms:

  • Site-to-site VPN tunnel with 3rd party vendor fails with one or more errors in SmartView Tracker:

    • Error: "Encryption failure: packet is dropped as there is no valid SA"
    • Error: "No valid SA"
    • Error: "Encryption failure: No response from peer"
    • Error: "No proposal chosen"
  • "Invalid ID information" error in SmartView Tracker when the Security Gateway initiates a Quick Mode.

  • VPN tunnel can be initiated from one side to the other but no return traffic is seen.

  • TCPdump on the external interface shows that UDP traffic on port 500 enters the Security Gateway, but is not routed past the Security Gateway.

  • VPN tunnel becomes unstable after an 'IKE: Send Delete' packet was sent.

Summary: Phase-two Quick Mode failure occurs due to configuration/misconfiguration of VPN/encryption domain for firewalls involved in Site-to-Site VPN tunnels. Typically, this occurs when VPN domain group contains either numerous networks, or numerous hosts from different consecutive networks along with network objects. This article discusses troubleshooting the supernetting issue.

See Scenario 1 in sk108600 - VPN Site-to-Site with 3rd party.


Scenario 4

Title: VPN between Check Point Security Gateway and Cisco PIX fails: "No valid SA"

Product: Security Gateway

OS: SecurePlatform

Symptoms:

  • Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".
  • VPN between Check Point Security Gateway and Cisco PIX fails.
  • SmartView Tracker may display the following error messages:

    • Error: "Encryption failure: packet is dropped as there is no valid SA"
    • Error: "No valid SA"
    • Error: "Encryption failure: No response from peer"
    • Error: "No proposal chosen"

Summary: VPN between Check Point Security Gateway and Cisco PIX may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

VPN between Check Point Security Gateway and Cisco PIX may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.

See Scenario 3 in sk112054: Troubleshooting the "Encryption failure: no response from peer" error.


Scenario 5

Title: Why do packets get dropped in IPSO cluster with error "Packet is dropped because there is no valid SA"

Product: Security Gateway

OS: IPSO

Symptoms:

  • When running SecureClient / SecuRemote connections to Nokia IPSO 3.7 and Check Point cluster, the connection is properly established, but some servers in the encryption domain cannot always be accessed. The log shows packets being dropped with the following error message: encryption fail reason: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in Secureknowledge database for more information."

Summary: In the IPSO and Check Point cluster environment, there can be a Quick Mode SA initiated also from the cluster side to the SecureClient station and not just from the client side to the cluster. Even though there is already an active IPSec SA, established by the client, the Check Point cluster sometimes wants to establish its own, corresponding IPSec SA. The SA is initiated when a return packet is handled by another cluster member than the one that handled the initial client IKE connection. 

If the SA negotiation initiated from the cluster side fails for some reason, a situation can arise where part of the connections to the encryption domain work properly, but part of the connections fail. In this case, the logs show packets being dropped with the above error message.

See sk40187: Why do packets get dropped in IPSO cluster with error "Packet is dropped because there is no valid SA".


Scenario 6

Title: Error: "Encryption failure: Both endpoints are in the encryption domain"

Product: Security Gateway

Symptoms:

  • VPN rule result is "Accept" instead of "Encrypt", followed by error: "Both end points are in the encryption domain".
  • Error: "Encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

Cause:

Two possible causes are:

  • In VPN-1 Power/UTM NGX and above, the Security Gateway's interface is automatically included in its Encryption Domain.
  • If user uses Virtual Interfaces on the Security Gateway, these Virtual Interfaces are also included in the Security Gateway's Encryption Domain, even though they were not explicitly defined as part of the Encryption Domain.

Solution:

 Remove overlapping Encryption Domains, or any Virtual Interface IP Addresses of the Security Gateway that could result in a conflict.


Scenario 7

Title: Cannot Establish Site-to-Site VPN Between Managed UTM-1 Edge Devices

Product: Edge

Symptoms:

  • Cannot establish site-to-site VPN between two UTM-1 Edge appliances managed by the same Security Management Server.
  • SmartView Tracker shows VPN traffic between sites as dropped due to no valid SA.
  • IKE debugs contain the error "FW_SECUREMOTE_NOTIFICATION: Could not agree on common methods. Check that the user is properly defined."
  • Unable to manage device from SmartDashboard.

Cause: The appliances have lost their connection to the Service Center (Security Management Server).

Solution:

Re-connect the UTM-1 Edge appliances to the Service Center.


Scenario 8

Title: VPN packets dropped with "no valid SA" error, when CoreXL enabled in VPN over a VPN configuration

Product: CoreXL

OS: SecurePlatform 2.6, IPSO 6.2

Symptoms:

  • VPN packets are dropped with "no valid SA" error, when CoreXL is enabled in VPN over a VPN configuration.

Cause: CoreXL is incorrectly passing the decrypted VPN packet to a separate gateway causing the firewall to decide that it should decrypt the second VPN packet.

Solution:

Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.


Scenario 9

Title: iPhone L2TP connections fail in LS Cluster environment

Product: Security Gateway

Version: NGX R65

OS: Linux, SecurePlatform, SecurePlatform 2.6, Windows

Symptoms:

  • iPhone (with R65 HFA_50) L2TP connections fail in LS Cluster environment.
  • Various generic error messages are "Main Mode Sent Notification to Peer: payload malformed - possibly a mismatch in pre-shared keys" and "No valid SA"

Cause: NGX R65 HFA_50 has a bug that breaks L2TP connections.

Solution:

iPhone L2TP connections do work in NGX R65 HFA_40.

Please upgrade the firewall to R70 or Higher. A fix should be incorporated in these releases.

Please also note you may also have to upgrade the Management server to the same version or higher. Check Point does not support having the firewall at a higher level than the Management server.


Applies To:
  • This SK replaces sk35224, sk61245, sk82780 and sk57321.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment