VPN between Check Point Security Gateway and Cisco Pix fails: "No valid SA"

Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information". VPN between Check Point Security Gateway and Cisco Pix fails.

CAUSE

During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security Associations (SA's) with the VPN partner site. If negotiations fail and the exchange does not complete, the VPN daemon has no IPSec SA's to send to the Security Gateway kernel. The Security Gateway daemon expires the running VPN's state tables entries or does not start a new VPN, since it did not receive the updated IPSec SA's. The expiration triggers the "Packet is dropped because there is no valid SA" error message. VPN between Check Point Security Gateway and Cisco Pix fails because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.

SOLUTION

To resolve this issue proceed as follows: At the Cisco end, check the Crypto Map settings. Find out from the ACLs if there is a host based VPN setup or a network based VPN setup. On SmartDashboard, edit the Cisco Interoperable Device object defined on SmartDashboard. Select 'Network Objects > Others > Interoperable Device > VPN > Advanced'. Uncheck 'Support key exchange for subnets'. Note: For NGX, select 'Network Objects > Interoperable Device > VPN > Advanced'. Under VPN Tunnel Sharing, select Custom Settings and specify "One VPN tunnel per each pair of hosts". After completing this procedure, initiate traffic from the source PC. You should be able to see an encrypt in SmartView Tracker.