02-07-2007 09:55 PM - edited 02-21-2020 01:24 AM
Should there be a "service-policy" command on the outbound interface when using the "qos pre-classify" under the crypto map?
I have several point-to-point links that use both the qos pre-classify and the service-policy on the interface, and all those links generate %CRYPTO-4-PKT_REPLAY_ERR errors under load.
Other links that only encrypt are not getting the %CRYPTO-4-PKT_REPLAY_ERR errors under load.
The documentation for QOS and VPN: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ac4.html
Only states to use the "qos pre-classify" ???
I believe the packets are going through the QOS process twice. Once before encryption, and then again afterward resulting in the resequencing.
Solved! Go to Solution.
02-18-2007 07:22 AM
Hi,
IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
HTH,
-Kanishka
02-08-2007 03:42 AM
Another possibility is that the "qos pre-classify" is just maintaining the orginal packets class after it encrypts. This would mean that the encrypted packets are going through QOS after encryption. (reordering) Many of the documents state the QOS will be done before the encryption, but if that is true I wouldn't be getting replay errors.
02-18-2007 07:22 AM
Hi,
IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
HTH,
-Kanishka
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide