Issue/Introduction:
Check Point VPN failure on VSX R65/R67 - Failed to get IKE SA qid for cookieSymptoms:
-
Check Point VPNs on VSX R65 or R67 continuously disconnect
-
Check Point log contains messages like "encryption failure: Unknown SPI: 0xNNNNNNNN for IPsec packet"
-
Running vpn tu -vs <N> to list SAs, many show following error message:
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
..
Failed to get IKE SA qid for cookie <xxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxx>
Cause:
This is an unexpected VPN condition with Check Point VSX R65 / R67 related to tables that the command vpn tu references.
Resolution:
Please contact Check Point to receive a hotfix for this issue.
Workaround
Clearing the IPsec and IKE SAs for the affected peers should re-initialize and re-establish the VPN tunnels.