Every individual tunnel/SA is represented by a SPI. If you are using R80.10 on your firewall, this is pretty easy though: vpn tu mstats, and use command vpn tu tlist for more specific information about a tunnel. For R77.30 and earlier you could use: fw tab -s -t inbound_SPI. fw tab -s -t outbound_SPI. Also give this a try: fw tab -u -t peers_count

In general, a single log may indicate that there was a missing SPI key to decrypt the packet. Repeated logs may indicate that the relevant kernel tables are full and new VPN-related data cannot be recorded. In such a case, the VPN kernel debug (# fw ctl debug -m VPN + … Explanation of "Unknown SPI" message in Event log The actual SPI values for each tunnel are displayed using the diag vpn tun list command on the FortiGate unit. Knowing this, you can enable the sniffer on the external interface, and see if the packets that you are receiving from the remote IPSec client/gateway, do indeed use the correct SPI, or not. PIX/ASA 7.x and above: PIX-to-PIX VPN Tunnel Configuration Choose Monitoring > VPN > VPN Statistics > Global IKE/IPSec Statistics in order to know about the statistical information of the VPN tunnel. You can also verify the formation of tunnels using CLI. Issue the show crypto isakmp sa command to check the formation of tunnels and issue the show crypto ipsec sa command to observe the number of packets SonicWall VPN site to site problem - Spiceworks Aug 17, 2017

It was here that we noticed that the SPI's in the sho crypto ipsec sa didn't match the SPI's coming from the central office. I tried clearing the crypto ipsec sa, but that didn't work so i rebooted the FW. When it came back up it started working again, and the SPI's matched. The …

PIX/ASA 7.x and above: PIX-to-PIX VPN Tunnel Configuration

What is IPSec VPN PFS Perfect Forward Secrecy – IT Network

'Encryption failure: Unknown SPI: 0xXXXXXXXX for UDP In general, a single log may indicate that there was a missing SPI key to decrypt the packet. Repeated logs may indicate that the relevant kernel tables are full and new VPN-related data cannot be recorded. In such a case, the VPN kernel debug (# fw ctl debug -m VPN + …