Pix anti-replay check

Unanswered Question

I have an issue with a VPN connection to a customer firewall. Our end is dual ASA 5520s running in active/passive mode, while the far end is a Pix 506 running 6.3 SW.

When testing failover using hard ASA resets, sometimes the VPN breaks and the Pix shows anti-replay check failures ? things have got out of sequence and the Pix is rightfully dropping the packets.

The customer doesn?t like this and I'm looking for a solution.

On IOS, there is a new feature (http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html)

That can expand the anti-replay window to 1024 packets from 64 default.

The question is is there anything similar for Pix?

Thanks a lot

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nefkensp Thu, 09/13/2007 - 11:57

If you set an isakm-keepalive on both endpoints, then both endpoints detect quite fast that the tunnel has been gone for a few seconds and then the tunnel will reestablish nicely with new sa's.

Do you have one of the firewalls behind a nat-router?

Hi again,

I lab tested this and it worked fine, but when testing with the customer it didnt which is typical. Now, even the lab test doesnt work which i dont understand.

The Pix end doesnt seem to tear down the SAs - it appears to me that it sees the keepalives and replies happily, but the encrypted packets are still being dropped.

The debugs on the Pix show


ISAKMP (0): sending NOTIFY message 36137 protocol 1

which looks to me like a sucessful keeplive sent and received, is that correct? These debugs repeat, followed by the Pix sending

return status is IKMP_NO_ERR_NO_TRANS

until the SAs are manually cleared. Anyone seen this before?



nefkensp Tue, 09/18/2007 - 02:07

Can you send me the output for

show start | include isakmp

This command outputs the startup config, but it will only show the isakmp options.

It could be that something else is playing up now. What version of PIX are you using?

The keepalives on ASA 7.0, PIX7.0 and later are configured differently

Ive just done some more testing - occasionally it tears down the SA, occasionally it doesnt. The Pix is version 6.3, while the ASAs are 7.2.2.

Pix config is

pixfirewall# sh conf | i isakmp

crypto map outside_map 20 ipsec-isakmp

isakmp enable outside

isakmp key ******** address ASA_GATEWAY_IP netmask no-xauth no-config-mode

isakmp keepalive 10

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400


nefkensp Sun, 09/23/2007 - 22:27

Ok, perhaps some extra testing..

Can you tell me which side initiates the teardown? Is that the PIX or the ASA?

My guess is that the pix tears down. but not the asa..

Can you issue the following command on the asa:

tunnel-group ipsec-attributes

isakmp keepalive threshold 10 retry 2

With ASA 7.x, you can set the ISAKMP keep alive per isakmp peer / tunnel-group.

Hope this helps



This Discussion