Check Point VPN failure - Failed to get IKE SA qid for cookie

book

Article ID: 167975

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Check Point VPN failure on VSX R65/R67 - Failed to get IKE SA qid for cookieSymptoms:
  • Check Point VPNs on VSX R65 or R67 continuously disconnect
  • Check Point log contains messages like "encryption failure: Unknown SPI: 0xNNNNNNNN for IPsec packet"
  • Running vpn tu -vs <N> to list SAs, many show following error message: 

Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx> 
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx> 
..
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx> 

Cause

This is an unexpected VPN condition with Check Point VSX R65 / R67 related to tables that the command vpn tu references.

Resolution

Please contact Check Point to receive a hotfix for this issue.

Workaround

Clearing the IPsec and IKE SAs for the affected peers should re-initialize and re-establish the VPN tunnels.