Solved: Is QOS causing IPSEC replay errors?

david.chandler · ‎02-07-2007

Should there be a "service-policy" command on the outbound interface when using the "qos pre-classify" under the crypto map?

I have several point-to-point links that use both the qos pre-classify and the service-policy on the interface, and all those links generate %CRYPTO-4-PKT_REPLAY_ERR errors under load.

Other links that only encrypt are not getting the %CRYPTO-4-PKT_REPLAY_ERR errors under load.

The documentation for QOS and VPN: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ac4.html

Only states to use the "qos pre-classify" ???

I believe the packets are going through the QOS process twice. Once before encryption, and then again afterward resulting in the resequencing.

kaachary · ‎02-18-2007

Hi,

IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html

HTH,

-Kanishka

View solution in original post

david.chandler · ‎02-08-2007

Another possibility is that the "qos pre-classify" is just maintaining the orginal packets class after it encrypts. This would mean that the encrypted packets are going through QOS after encryption. (reordering) Many of the documents state the QOS will be done before the encryption, but if that is true I wouldn't be getting replay errors.

kaachary · ‎02-18-2007

Hi,

IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html

HTH,

-Kanishka