Check Point VPN failure - Failed to get IKE SA qid for cookie
book
Article ID: 167975
calendar_today
Updated On:
Products
XOS
Issue/Introduction
Check Point VPN failure on VSX R65/R67 - Failed to get IKE SA qid for cookieSymptoms:
Check Point VPNs on VSX R65 or R67 continuously disconnect
Check Point log contains messages like "encryption failure: Unknown SPI: 0xNNNNNNNN for IPsec packet"
Running vpn tu -vs <N> to list SAs, many show following error message:
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx> Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx> .. Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
Cause
This is an unexpected VPN condition with Check Point VSX R65 / R67 related to tables that the command vpn tu references.
Resolution
Please contact Check Point to receive a hotfix for this issue.
Workaround
Clearing the IPsec and IKE SAs for the affected peers should re-initialize and re-establish the VPN tunnels.