AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx : Seclore Customer Support - Get Help Today

Solution home Knowledge Base Articles VPN Issues

AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx

Modified on: Tue, 3 Oct, 2023 at 6:59 PM

Applicable plans a b c d

Applies to: Seclore Cloud VPN

Are you facing issues with your AWS tunnel? Here are some common errors you might encounter and simple solutions to get things back on track.

List of errors:

AWS tunnel received DELETE for Phase 2 SA with SPI: xxxx

AWS tunnel received DELETE for IKE_SA from CGW

AWS tunnel detected a (CHILD_REKEY) collision as CHILD_DELETE

AWS tunnel (CHILD_SA) redundant SA is being deleted due to detected collision

No Proposal Match Found by AWS

No Proposal Match Found. Notifying with "No proposal chosen"

AWS tunnel Phase 2 was unable to establish while keeping Phase 1

AWS: Traffic Selector: TS_UNACCEPTABLE: received from responder

AWS tunnel is sending AUTHENTICATION_FAILED as the response

AWS tunnel Timeout: deleting un-established Phase 1 IKE_SA with cgw: xxxx

No Proposal Match Found. Notifying with "No proposal chosen"

No Proposal Match Found by AWS

Solution:

Ensure the Phase 1 and Phase 2 lifetimes are identical.

Check if there is no traffic inside the tunnel and if the key's lifetime has expired.

Verify if any configuration changes have been made related to the VPN tunnel.

Ensure the Phase 1 and Phase 2 parameters or attributes are similar at both ends of the gateway.

If you've modified the traffic selector/domain encryption or changed IPsec parameters, your Customer Gateway device might send a CHILD_SA deletion request to AWS, which can tear down the VPN tunnels. In this case, review the configurations and consider reaching out to your device’s TAC team if needed.

Another possible issue could be an incorrect proposal. For policy-based routing, AWS supports a single SA for inbound and outbound traffic. To resolve this, ensure the traffic selector/encryption domain is configured with identical and correct CIDRs.

Check the stability of your ISP link. A stable connection is crucial for a functioning AWS tunnel.

Other similar issues.

Peer is not responsive - Declaring peer dead (DPD issue)

Trouble Logging into PS Despite Working VPN

AWS tunnel detected a pre-shared key mismatch with cgw: xxxx

Need more help?

Contact Seclore Support

support@seclore.com | Chat Live

Did you find it helpful? Yes No

More articles in VPN Issues