There are 3 possible situations that can trigger this error and they are here:
1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This
is typically a result of QoS configuration on the encrypting router. This is why you may
contact your peer administrator to make sure if they are using Q0S or not, and also to see
if they are sneding the packets out of order or they are getting disordered in the path
between the peer and your ASA.
2. The IPSec packets received by the decrypting router are out of order due to packet
reordering at an intermediate device.
3. The received IPSec packet is fragmented and requires reassembly before authentication
verification and decryption. Since the reassembly process is taking place at the process
level, it's possible that the by the time the large packet is reassembled, 64 smaller
packets have already been processed by the crypto engine, thus causing the large packet to
miss the anti-replay window.
I hope you are in sync with me until this point. Now, to avoid these error messages we
need to disable anti-replay check in case the packets are arriving
out of order. In the ASA platfomr, this can opnly be done by disabling authentciation for
this peer. This means that you have to disable authentication on the transform-set used
for this peer. For example, if you were previously using 3des for ecnryption and md5 for
authentication, then you have to use this new tranfomr set for this peer:
crypto ipsec transform-set TEST esp-3des
Instead of: crypto ipsec transform-set TEST esp-3des esp-md5-hmac
In case of fragmentation it will be better to avoid fragmentation by using lower mtu value or fragmentation before encryption.