SA not found on lookup by SPI for outbound pkt
09/23/2022 4 People found this article helpful 21,904 Views
The following drop code might be seen if the local subnet has not been added as a remote network on the remote firewall.
The firewall will not be able to find an existing tunnel for the Traffic Selectors and will not appear under the currently active VPN tunnels.
Any traffic coming from a local subnet, attempting to pass over the tunnel, will be dropped if there is no active VPN tunnel available.
NOTE: IKE peers agree (traffic selector) to permit traffic through a VPN tunnel once the specified pair of local and remote addresses has been matched. Traffic will be permitted through the associated security association (SA) once it matches a specific traffic selector. See KB 211101021750493 for more details.
Check the networks on both sides to make sure they match
Was This Article Helpful?