The %VPN-SM-4-ICPUPP9 error message appears in the logs of a Cisco Catalyst 6500 switch that runs Cisco IOS Software

Document

Wed, 07/22/2009 - 19:52
Jun 22nd, 2009
User Badges:
  • Gold, 750 points or more

Core issue

The %VPN-SM-4-ICPUPP9 error occurs because IP Security (IPSec) packets fail the anti-replay check. The IPsec packets fails the anti replay checks because the packet does not fit into the 64-packet anti-replay window. A sliding window performs the anti-replay check to prevent replay attacks.

The most common cause is the use of Quality of Service (QoS) in the network. QoS causes some packets to be prioritized over others. As a result, some packets arrive late, and are out of window. Usually, this delay does not impact the functionality, because higher level protocols take care of retransmission. The most apparent impact of this problem is choppy voice output if some voice packets are dropped.


Resolution

Currently, the only workaround is to stop authentication on the IPsec packets by removing the Hash-Based Message Authentication Code (HMAC) function from the IPsec transform set to disable anti-replay checks.

Note: Removing Hash-Based Message Authentication code(HMAC) function will result in highly degraded security.

Loading.

Actions

This Document

Related Content