Check Point VPN failure - Failed to get IKE SA qid for cookie
Article ID: 167975
Updated On:
Products
XOS
Issue/Introduction
Check Point VPN failure on VSX R65/R67 - Failed to get IKE SA qid for cookieSymptoms:
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
..
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
- Check Point VPNs on VSX R65 or R67 continuously disconnect
- Check Point log contains messages like "encryption failure: Unknown SPI: 0xNNNNNNNN for IPsec packet"
- Running vpn tu -vs <N> to list SAs, many show following error message:
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
..
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
Cause
This is an unexpected VPN condition with Check Point VSX R65 / R67 related to tables that the command vpn tu references.
Resolution
Please contact Check Point to receive a hotfix for this issue.
Workaround
Clearing the IPsec and IKE SAs for the affected peers should re-initialize and re-establish the VPN tunnels.Feedback
Powered by
