Hi, I found the attached solution on Check Point's web site. I saved it as a text file. Hope you can read it, if not let me know.
Valencia Taylor Check Point Firewall Administrator [EMAIL PROTECTED] Room 6528 South Agriculture Building 202-720-4402 "Julio Bretín Díaz" <[EMAIL PROTECTED]> Sent by: "Mailing list for discussion of Firewall-1" <FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM> 04/03/2007 01:14 PM Please respond to "Mailing list for discussion of Firewall-1" <FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM> To FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM cc Subject [FW-1] Problem with VPN Hi, I'm receiving the following error when I configure a site to site VPN. Encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge. I've been googleing and haven't found this sk article nor any information about how I can solve this problem. Please if anyone knows how to solve it or have this article, please send me some help. Thanks in advanced and best regards, Julio. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information" Print this Solution Email this Solution New Search / Advanced Next Solution Solution ID: #sk19423 Product: VPN-1 Pro (VPN-1/FW-1) Version: NG AI Last Modified: 19-Sep-2006 Symptoms Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information". Cause The Error message indicates a failure in the IPSec Security Association negotiations process: specifically a function timeout occurred. The two most common causes of function timeouts are: a) A packet needs to be encrypted but a new IPSec SA needed for its encryption could not be created b) A packet needs to be decrypted but the IPSec SA matching the SPI on the packet does not exist During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security Associations (SA's) with the VPN partner site. If negotiations fail and the exchange does not complete, the VPN daemon has no IPSec SA's to send to the firewall kernel. The firewall daemon expires the running VPN's state tables entries or does not start a new VPN, since it did not receive the updated IPSec SA's. The expiration triggers this error message. The message indicates the SA's expired, but does not indicate the root cause of the problem. Other SmartView Tracker messages, before or after the "sk19423 Error", provide more information about the issue. For more information about the full IKE process, please refer to "RFC 2409 - The Internet Key Exchange" Solution Review SmartView Tracker for other information/error messages before or after the "sk19423 error". Specifically, check to see if an IKE negotiation has failed or succeeded: Procedure: Open SmartView Tracker. On the left hand pane double-click on the "VPN-1" query, menu item. View the queried logs in the right pane. Note: Be sure to verify the system clocks for all Security Gateways included in the VPN are synchronized. Unsynchronized system clocks can contribute to the symptom. If the negotiation was successful: A log entry in SmartView Tracker is displayed. The "Action" field of this entry displays the text "Key Install" and the "Information" field reads "IKE: Quick Mode completion". In case the IKE negotiation was successful, no corrective action for the "sk19423 error" is required. If the negotiation failed: Log entries display the "Encryption Scheme" field containing the text "IKE". The log entries vary but more accurately pinpoint the problem. Use these information/error messages to search SecureKnowledge for specific fix(s). If additional IKE error messages do not exist, and a VPN connection is not working, generate a VPN debug report and open a Service Request with Check Point Technical Support. Starting in NG with AI R55 HFA_3 log entries for the failure are more granular. A unique log record is used for cases where there is no matching IPSec SA for the SPI specified in an IPSec packet to be decrypted. When IPSec SA generation fails, the peer type, mobile or gateway, is indicated in the message. Some issues causing the generation of these log records have been resolved in recent Hot Fix Accumulators. Check Point recommends upgrading to the latest HFA to include these changes to application logic in the firewall configuration. However, there are situations where these log records are generated and the cause is external to the application logic such as a configuration or network problem. To get the latest HFA for your product, version and Operating System, go to http://www.checkpoint.com/techsupport/hfa.html. This quick Troubleshooting encryption issues in relation to sk19423 document has been created to provide some tips for troubleshooting encryption errors that spawn the sk19423 message in various configurations. Applies To: VPN-1 / FireWall-1 NG with AI R54 VPN-1 / FireWall-1 NG with AI R55 Virtual Private Network (VPN) IKE Encryption Security Associations (SA) Security Parameter Index (SPI) No valid SA
