Replay check failed message

Unanswered Question
Sep 18th, 2009
User Badges:

I am seeing occational syslogs of these type on a 1711 router running IPSec:


%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=3, sequence number=0


Does this mean that an ESP packet was seen with a sequence number of 0? What exactly does the connection id refer to?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Alexandro Carra... Mon, 09/21/2009 - 14:28
User Badges:
  • Cisco Employee,

The error %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection

means that packet got discarded due to anti-replay check. It means that you are having out-of-order packets. This could

cause packet retransmission.


There are 3 possible triggering conditions for this error to occur and they are outlined here:


1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This is typically a result of QoS configuration on the encrypting router.


2. The IPSec packets received by the decrypting router are out of order due to packet reordering at an intermediate device (ISP issue, and the most common).


3. The received IPSec packet is fragmented and requires reassembly before authentication verification and decryption. Since the reassembly process is taking place at the process

level, it's possible that by the time the large packet is reassembled, 64 smaller packets have already been processed by the

crypto engine, thus causing the large packet to miss the anti-replay window.


Now to avoid these error messages we need to increase the window size or disable anti-replay check in case the packets are arriving out of order. In case of fragmentation it will be

better to avoid fragmentation by using lower mtu value or fragmentation before encryption.


The easiest way to try and solve this issue is by disabling authentication on phase II. This means to get rid of the modifier 'esp-sha-hmac' or 'esp-md5-hmac' configured on the

transform set. This will need to be done also on the remote peer involved in this tunnel. Take in mind that this won't affect the encryption of the traffic, it will only instruct the router not to check that the trafficis arriving in the correct order.


Another option: there is a new feature added to 12.3(14)T and is also available in 12.4T train.

Please review the url below for further details.


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_bulletin09186a00801d7229.html#wp1007448


Section: IPsec Antireplay Window Expansion and Disable Options


Hope this helps.

Alex.

Actions

This Discussion