Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

Symptoms

Error in SmartView Tracker: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".

Cause

The Error message indicates a failure in the IPSec Security Association negotiations process: specifically a function timeout occurred. The two most common causes of function timeouts are: A packet needs to be encrypted but a new IPSec SA needed for its encryption could not be created. A packet needs to be decrypted but the IPSec SA matching the SPI on the packet does not exist. During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security Associations (SA's) with the VPN partner site. If negotiations fail and the exchange does not complete, the VPN daemon has no IPSec SA's to send to the firewall kernel. The firewall daemon expires the running VPN's state tables entries or does not start a new VPN, since it did not receive the updated IPSec SA's. The expiration triggers this error message. The message indicates the SA's expired, but does not indicate the root cause of the problem. Other SmartView Tracker messages, before or after the "sk19423 Error", provide more information about the issue.

Solution

Most of the time, this message is displayed due to interoperability issues. In such cases the VPN-1 VPN Interoperability document should assist you in resolving your issue. You can also review SmartView Tracker for other information/error messages before or after the "sk19423 error". Specifically, check to see if an IKE negotiation has failed or succeeded: Procedure: Open SmartView Tracker. On the left hand pane double-click on the 'VPN-1' query menu item. View the queried logs in the right pane. Note: Be sure to verify the system clocks for all Security Gateways included in the VPN are synchronized. Unsynchronized system clocks can contribute to the symptom. If the negotiation was successful: A log entry in SmartView Tracker is displayed. The "Action" field of this entry displays the text "Key Install" and the "Information" field reads "IKE: Quick Mode completion". In case the IKE negotiation was successful, no corrective action for the "sk19423 error" is required. If the negotiation failed: Log entries display the "Encryption Scheme" field containing the text "IKE". The log entries vary but more accurately pinpoint the problem. Use these information/error messages to search SecureKnowledge for specific fix(es). If additional IKE error messages do not exist, and a VPN connection is not working, generate a VPN debug report and open a Service Request with Check Point Support. Troubleshooting encryption errors that spawn the sk19423 message in various configurations: These encryption failures occur when no IPSEC SA (Security Association) is found for a connection. Log message: "Packet is dropped because an IPSEC SA associated with the SPI on the received IPSEC packet could not be found." Configuration Scenario Solution Gateway is a cluster member. Possibly the IKE negotiation was managed between the peer and member A, while the IPSEC packets reached member B. Such a log message may indicate a problem in the synchronization network of the cluster members. Make sure that the synchronization network works properly. Run the command: cphaprob -a if Gateway is not a cluster member. Contact Check Point Support. Log message: "Packet is dropped because there is no valid SA for user peer - please refer to solution sk19423 in SecureKnowledge Database for more information." Configuration Scenario Solution Any. The gateway tried to open a connection to a user who disconnected their remote access client. No action needed. Gateway is a cluster member in a load balancing configuration. Possibly the remote access client had an IKE negotiation with member A while packets to that client were sent through gateway B. The IPSEC SA was not synchronized between the members. Such a log message may indicate a problem in the synchronization network of the cluster members. Make sure that the synchronization network works properly. Run the command: cphaprob -a if Gateway is a cluster member. The remote access client is behind a NAT device and the NAT mapping was deleted from the NAT device (e.g.: because of NAT entry timeouts). IKE packets from the gateway could not reach the remote access client since the NAT device could not forward them. In order to work with remote access clients behind NAT devices, the client must send keep-alive packets. To configure this: From the main menu, select 'Policy' > 'Global Properties'. Click the 'Remote Access' section. Select the 'Enable back connections' options. The gateway is not a cluster member, and many connections are opened from the gateway domain to the remote access client. Any. IKE negotiation failed (e.g., because of an invalid certificate). Search the logs for IKE negotiation messages. Log message: "Packet is dropped because there is no valid SA for user peer - please refer to solution sk19423 in SecureKnowledge Database for more information." Configuration Scenario Solution Any. IKE negotiation failed (e.g., invalid certificate). Search the logs for IKE negotiation messages.