Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 6334 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN Problem Invalid SPI

Trio Fandi

Hi,

We are using Sophos Firewall XG310 , SFOS v20. It's been 4 month we have established Site-to-Site VPN, and today suddenly our connection is Down with many "Received IKE message with invalid SPI (D3EED417) from the remote gateway" log messages as shown below.

We didn't have any configuration change before.

Here's our configuration (Sophos)

Remote Site configuration ( VM Ware NSX)

Any suggestion ?



This thread was automatically locked due to age.
Parents
  • +1

    Hi Trio Fandi,In your configs, both IPsec gateways (SFOS and NSX) are set with same Phase1 and Phase2 rekey timers; it is recommended to use lower values of Phase1 and Phase2 rekey timers on Initiator IPsec gateway; if your SFOS is Initiator, adjust P1/P2 timers to less than the P1/P2 values used on far end gw (responder) or vice-versa.

Reply
  • +1

    Hi Trio Fandi,In your configs, both IPsec gateways (SFOS and NSX) are set with same Phase1 and Phase2 rekey timers; it is recommended to use lower values of Phase1 and Phase2 rekey timers on Initiator IPsec gateway; if your SFOS is Initiator, adjust P1/P2 timers to less than the P1/P2 values used on far end gw (responder) or vice-versa.

Children
Unfiltered HTML