Cisco ASA 5510 Anti-Replay Checking

Unanswered Question
Nov 21st, 2007


My logs on my ASA are screaming with error 402119, which corresponds with ESP packets failing anti-replay checking. It's only for two different users, but when it happens, it happens about 75 errors right in a row in my logs. I know in IOS you can adjust the window size for replay checking or just disable it altogether using the set security-association replay command set, but my research shows no means of doing this with ASA or the PIX. I'd really like these errors to go away. Help?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ebreniz Tue, 11/27/2007 - 12:51

There are 3 possible situations that can trigger this error and they are here:

1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This

is typically a result of QoS configuration on the encrypting router. This is why you may

contact your peer administrator to make sure if they are using Q0S or not, and also to see

if they are sneding the packets out of order or they are getting disordered in the path

between the peer and your ASA.

2. The IPSec packets received by the decrypting router are out of order due to packet

reordering at an intermediate device.

3. The received IPSec packet is fragmented and requires reassembly before authentication

verification and decryption. Since the reassembly process is taking place at the process

level, it's possible that the by the time the large packet is reassembled, 64 smaller

packets have already been processed by the crypto engine, thus causing the large packet to

miss the anti-replay window.

I hope you are in sync with me until this point. Now, to avoid these error messages we

need to disable anti-replay check in case the packets are arriving

out of order. In the ASA platfomr, this can opnly be done by disabling authentciation for

this peer. This means that you have to disable authentication on the transform-set used

for this peer. For example, if you were previously using 3des for ecnryption and md5 for

authentication, then you have to use this new tranfomr set for this peer:

crypto ipsec transform-set TEST esp-3des

Instead of: crypto ipsec transform-set TEST esp-3des esp-md5-hmac

In case of fragmentation it will be better to avoid fragmentation by using lower mtu value or fragmentation before encryption.


This Discussion