So you get mad points for that, whole part….īut now explain, CheckPoint as to why, possibly, the IPSec SA could not be created?…. A packet needs to be decrypted, but the IPSec SA matching the SPI on the packet does not exist.ĬheckPoint you did a good job of providing me with a KB article number, within the actual firewall logs, and low and behold, that actual KB article is retrievable on the web.
A packet needs to be encrypted, but a new IPSec SA needed for its encryption could not be created.ī. Go to that article, and the two main points are:Ī. Here is the link to the actual CheckPoint KB article:ĬheckPoint sk19423 in SecureKnowledge Database You check the CheckPoint FW-1 logs called SmartView Tracker and see the following error message:Įncryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information Symptoms: Traffic enters the firewall (CheckPoint in this case) which has an IPSec LAN-to-LAN, with a 3rd party and/or remote site, but is getting dropped. This happens a whole lot, the issue is trying to explain to management and other people, what the issue is….
0 kommentar(er)
