Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 5407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

received IKE message with invalid SPI (C8A9D1D2) from other side

Kevin Day

check in the blogs and forums and all discussions end in "support engineer solved this" but there is no explanation on how.

we have two XG F/W across a WAN working site-2-site VPN flawlessly for about 4 days, out of the blue one end receives the "received IKE message with invalid SPI (C8A9D1D2) from other side" and the VPN goes down.

One end shows VPN link UP/DOWN the other siteshows UP/UP



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Could you please share the screenshots of the configured IPsec policies from both firewalls? 

    Also, ensure that DPD(Dead Peer Detection) isn't set to Re-initiate on the IPsec connection, configured as "Respond only" gateway. 

    Thanks,

  • 0 in reply to FormerMember

    Hi and thank you for your reply, in checking the ipsec policy I see the Dead peer connection is set to "re-initiate".

    Please xplain why changing this to "Respond only" should fix the issue.
    also, we have several site to site vpn connections all sharing same policy, how would the other tunnels be affected.
    Finally, will changing this setting cause th etunnels to reset or go down? should I do this after hours?

    Thank You

Reply
  • 0 in reply to FormerMember

    Hi and thank you for your reply, in checking the ipsec policy I see the Dead peer connection is set to "re-initiate".

    Please xplain why changing this to "Respond only" should fix the issue.
    also, we have several site to site vpn connections all sharing same policy, how would the other tunnels be affected.
    Finally, will changing this setting cause th etunnels to reset or go down? should I do this after hours?

    Thank You

Children
No Data