received IKE message with invalid SPI (C8A9D1D2) from other side

Hi Kevin Day,

Thank you for reaching out to the Community! 

Could you please share the screenshots of the configured IPsec policies from both firewalls? 

Also, ensure that DPD(Dead Peer Detection) isn't set to Re-initiate on the IPsec connection, configured as "Respond only" gateway. 

Thanks,

Hi Kevin Day,

Thank you for reaching out to the Community! 

Could you please share the screenshots of the configured IPsec policies from both firewalls? 

Also, ensure that DPD(Dead Peer Detection) isn't set to Re-initiate on the IPsec connection, configured as "Respond only" gateway. 

Thanks,

Hi and thank you for your reply, in checking the ipsec policy I see the Dead peer connection is set to "re-initiate".

Please xplain why changing this to "Respond only" should fix the issue.
also, we have several site to site vpn connections all sharing same policy, how would the other tunnels be affected.
Finally, will changing this setting cause th etunnels to reset or go down? should I do this after hours?

Thank You

upon further review, the only option for dead peer connection we have are "Re-initiate","Hold" and "Disconnect" there is no "Respond only" option.

Hi Kevin Day,

I meant to say, on the gateway type respond only, the DPD settings can't be configured as "re-initiate."

Check out the following document for more info: 

• Best practice for site-to-site policy-based IPsec VPN

Note: If there’s more than one connection sharing the same policy, avoid making changes to the policy. You could clone the policy and make the required change or create a new policy.

Could you provide more detail on configured IPsec policies on both firewalls? 

Thanks,

upon checking the gateway settings it is actually set to "respond only" already.