Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
4
Replies

Crypto Error

kianaun
Level 1
Level 1

‎04-24-2006 10:46 PM - edited ‎03-03-2019 02:56 AM

Hi,

Has everyone ever experience this error log before from the router?

4w5d: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=3

Thanks in advanced.

ken

Labels:
0 Helpful
4 Replies 4

ankurbhasin
Level 9
Level 9

‎04-24-2006 10:50 PM

Hi Ken,

This output shows an example of the 'Replay Check Failed' error:

"%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=#." This error is a result of reordering in transmission medium (especially if parallel paths exist), or unequal paths of packet processing inside Cisco IOS for large versus small packets plus under load. Change the transform-set to reflect this. The reply check is only seen when transform-set esp-md5-hmac is enabled. In order to surpress this error message, disable esp-md5-hmac and do encryption only

Have a look at this link

http://www.cisco.com/warp/public/707/ipsec_debug.html

HTH, if yes please rate the post.

Ankur

0 Helpful

kianaun
Level 1
Level 1
In response to ankurbhasin

‎04-24-2006 11:02 PM

Thanks Ankur for your reply. But if this transform-set-esp-md5-hmac setting is needed, how to overcome this problem?

What is it happening at the first place since there is this option to set it as transform-set-esp-md5-mdac?

thanks,

ken

0 Helpful

spremkumar
Level 9
Level 9
In response to kianaun

‎04-24-2006 11:37 PM

Hi

These are the following Acceptable transform combinations :

ah-md5-hmac

esp-des

esp-3des and esp-md5-hmac

ah-sha-hmac and esp-des and esp-sha-hmac

comp-lzs

Suggested transform combinations:

esp-des and esp-sha-hmac

ah-sha-hmac and esp-des and esp-sha-hmac

Instead of using esp-md5-hmac as your ESP Authentication Transform try esp-sha-hmac..

check this link for more info on the options available ..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fipsencr/srfipsec.htm#xtocid4

regds

0 Helpful

kianaun
Level 1
Level 1
In response to spremkumar

‎04-25-2006 12:11 AM

Hi Kumar,

Thanks for your reply.

I have checked on the router, it's transform set is :

XXXX#: sh crypto ipsec transform-set

Transform set setXXX1: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },

And on the peer router, I also found this error message. Not too sure if this is related or some other issue relates to VPN Hardware Module?

011809: Apr 24 15:59:06: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output replay error(0x08000000)

0 Helpful
Customers Also Viewed These Support Documents