Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7039
Views
5
Helpful
1
Replies

Cisco ASA 5510 Anti-Replay Checking

gdawsont2systems
Level 4
Level 4

‎11-21-2007 08:08 AM - edited ‎03-11-2019 04:33 AM

Greetings,

My logs on my ASA are screaming with error 402119, which corresponds with ESP packets failing anti-replay checking. It's only for two different users, but when it happens, it happens about 75 errors right in a row in my logs. I know in IOS you can adjust the window size for replay checking or just disable it altogether using the set security-association replay command set, but my research shows no means of doing this with ASA or the PIX. I'd really like these errors to go away. Help?

Thanks!

Grant

2 people had this problem
Labels:
0 Helpful
1 Reply 1

ebreniz
Level 6
Level 6

‎11-27-2007 12:51 PM

There are 3 possible situations that can trigger this error and they are here:

1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This

is typically a result of QoS configuration on the encrypting router. This is why you may

contact your peer administrator to make sure if they are using Q0S or not, and also to see

if they are sneding the packets out of order or they are getting disordered in the path

between the peer and your ASA.

2. The IPSec packets received by the decrypting router are out of order due to packet

reordering at an intermediate device.

3. The received IPSec packet is fragmented and requires reassembly before authentication

verification and decryption. Since the reassembly process is taking place at the process

level, it's possible that the by the time the large packet is reassembled, 64 smaller

packets have already been processed by the crypto engine, thus causing the large packet to

miss the anti-replay window.

I hope you are in sync with me until this point. Now, to avoid these error messages we

need to disable anti-replay check in case the packets are arriving

out of order. In the ASA platfomr, this can opnly be done by disabling authentciation for

this peer. This means that you have to disable authentication on the transform-set used

for this peer. For example, if you were previously using 3des for ecnryption and md5 for

authentication, then you have to use this new tranfomr set for this peer:

crypto ipsec transform-set TEST esp-3des

Instead of: crypto ipsec transform-set TEST esp-3des esp-md5-hmac

In case of fragmentation it will be better to avoid fragmentation by using lower mtu value or fragmentation before encryption.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card