Hello,
Find below the explanations in the sk19423.
Regards
Symptoms
* Error: "Packet is dropped because there is no valid SA - please refer to
solution sk19423 in SecureKnowledge Database for more information".
Cause
The Error message indicates a failure in the IPSec Security Association
negotiations process: specifically a function timeout occurred. The two most
common causes of function timeouts are:
a) A packet needs to be encrypted but a new IPSec SA needed for its encryption
could not be created
b) A packet needs to be decrypted but the IPSec SA matching the SPI on the
packet does not exist
During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security
Associations (SA's) with the VPN partner site. If negotiations fail and the
exchange does not complete, the VPN daemon has no IPSec SA's to send to the
firewall kernel. The firewall daemon expires the running VPN's state tables
entries or does not start a new VPN, since it did not receive the updated IPSec
SA's. The expiration triggers this error message.
The message indicates the SA's expired, but does not indicate the root cause of
the problem. Other SmartView Tracker messages, before or after the "sk19423
Error", provide more information about the issue.
For more information about the full IKE process, please refer to "RFC 2409 -
The Internet Key Exchange"
Solution
Review SmartView Tracker for other information/error messages before or after
the "sk19423 error". Specifically, check to see if an IKE negotiation has
failed or succeeded:
Procedure:
1. Open SmartView Tracker.
2. On the left hand pane double-click on the "VPN-1" query, menu item.
3. View the queried logs in the right pane.
Note:
Be sure to verify the system clocks for all Security Gateways included in the
VPN are synchronized. Unsynchronized system clocks can contribute to the
symptom.
If the negotiation was successful:
A log entry in SmartView Tracker is displayed. The "Action" field of this entry
displays the text "Key Install" and the "Information" field reads "IKE: Quick
Mode completion". In case the IKE negotiation was successful, no corrective
action for the "sk19423 error" is required.
If the negotiation failed:
Log entries display the "Encryption Scheme" field containing the text "IKE".
The log entries vary but more accurately pinpoint the problem. Use these
information/error messages to search SecureKnowledge for specific fix(s). If
additional IKE error messages do not exist, and a VPN connection is not
working, generate a VPN debug report and open a Service Request with Check
Point Technical Support.
Starting in NG with AI R55 HFA_3 log entries for the failure are more granular.
A unique log record is used for cases where there is no matching IPSec SA for
the SPI specified in an IPSec packet to be decrypted. When IPSec SA generation
fails, the peer type, mobile or gateway, is indicated in the message.
Some issues causing the generation of these log records have been resolved in
recent Hot Fix Accumulators. Check Point recommends upgrading to the latest HFA
to include these changes to application logic in the firewall configuration.
However, there are situations where these log records are generated and the
cause is external to the application logic such as a configuration or network
problem.
To get the latest HFA for your product, version and Operating System, go to
http://www.checkpoint.com/techsupport/hfa.html.
This quick Troubleshooting encryption issues in relation to sk19423 document
has been created to provide some tips for troubleshooting encryption errors
that spawn the sk19423 message in various configurations.
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Julio Bretín Díaz
Sent: Tuesday, April 03, 2007 1:14 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Problem with VPN
Hi,
I'm receiving the following error when I configure a site to site VPN.
Encryption fail reason: Packet is dropped because there is no valid SA - please
refer to solution sk19423 in SecureKnowledge.
I've been googleing and haven't found this sk article nor any information about
how I can solve this problem.
Please if anyone knows how to solve it or have this article, please send me
some help.
Thanks in advanced and best regards,
Julio.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
