Troubleshooting encryption issues in relation to sk19423 The following provides additional information regarding encryption failures occurring when

no IPSEC SA (Security Association) could be found for a connection. In such scenarios a log message is issued. Please refer to the section title below matching the log message received. In each of the tables, look on the rows relevant for your configuration. (a) Packet is dropped because an IPSEC SA associated with the SPI on the received IPSEC packet could not be found. Configuration Scenario Possibly the IKE negotiation was managed between the peer and member A, while the IPSEC packets reached member B. Such a log message may indicate a problem in the synchronization network of the cluster members. Solution Check that the synchronization network works properly. use: cphaprob -a if

Gateway is a cluster member.

Gateway is not a cluster member.

Please call Check Point support.

(b) Packet is dropped because there is no valid SA for user peer - please refer to solution sk19423 in SecureKnowledge Database for more information. Configuration Any Scenario The gateway tried to open a connection to a user who disconnected their remote access client. Possibly the remote access client had an IKE negotiation with member A while packets to that client were sent through gateway B. The IPSEC SA was not synchronized between the members. Such a log message may indicate a problem in the synchronization network of the cluster members. Solution No action needed.

Check that the synchronization network works properly. use: cphaprob -a if

Gateway is a cluster member in a load balancing configuration.

Gateway is a cluster member The gateway is not a cluster member, and many connections are opened from the gateway domain to the remote access client.

The remote access client is behind a NAT device and the NAT mapping was deleted from the NAT device (e.g.: because of NAT entry timeouts). IKE packets from the gateway could not reach the remote access client since the NAT device could not forward them.

In order to work with remote access clients behind NAT devices, the client must send keep-alive packets. To configure this: (*) Choose the Global Properties from the Policy menu. (*) Click the Remote Access section. (*) Check the enable back connections box. Please search the logs for IKE negotiation messages.

Any

IKE negotiation failed (e.g. because of invalid certificate etc.)

(c) Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information Configuration Any Scenario IKE negotiation failed. (e.g. invalid certificate) Solution Look in the IKE logs above for the IKE failure reason.