ESP Sequence Number Error

Unanswered Question
Sep 16th, 2009
User Badges:

I have a site to site IPSec VPN setup to a Cisco 1711 router, and am getting occasional error messages of this type:


%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 60, pool offset 0


This appears to be caused by the router seeing a sequence number in the ESP header it doesn't like, which I think happens occasionally because we have low phase 1 and 2 timers (300 seconds).


I tried to turn off the anti-replay service to see if this would cause the messages to stop, but the IOS version I have doesn't appear to allow that. The version is Version 12.3(11)T11.


Any ideas on how I could get these messages to cease?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Tue, 09/22/2009 - 07:24
User Badges:
  • Bronze, 100 points or more

The error message usually indicates the following three possible conditions:


1) The IPSec encrypted packets are forwarded out of order by the encrypting router.

2. The IPSec packets received by the decrypting router are out of order due to packet

reordering at an intermediate device.

3. The received IPSec packet is fragmented and requires reassembly before authentication

verification and decryption.


This problem can usually be resolved by decreasing the TCP mss on the outgoing interface of the router by the following command:


interface outgoing-interface

ip tcp adjust-mss 1350


Before you make this change, Please clear all you tunnel with the following command:

clear crypto sa

clear crypto isakmp


Actions

This Discussion