%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 97, pool offset 0
I searched Cisco web site and that what I got
%C1700_EM-1-ERROR : [chars]
Explanation An error has occurred in an application using the VPN module.
Recommended Action Copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.
Cisco explanation based on the error is as follow:
%C1700_EM-1-ERROR: [chars] An error has occurred in an application using the
Explanation: This error message occurs when a packet is received out-of-sequence
at tunnel receiver. To protect against packet replay, a 64 size (default) window
is maintained at the tunnel receiver to detect any out-of-sequence packet reception.
This is also called anti-replay check.
The anti-replay/sequence failure can occur in the following conditions:
1. IPSec implementation with anti-replay (ie if authentication is configured) and QoS configured. Anti-replay check in IPSec want packets to be in sequence but QoS, which gets applied after IPSec encryption, would re-order the packet depending on packet priority.
2. Packet fragmentation and packets taking different switching path within the router could be other source for packet re-ordering and such anti-replay drops. Such sequence failures and anti-replay drops is sometime normal.
3. When data passes at a high rate and the received IPSec packet is fragmented and requires reassembly before authentication verification and decryption.
1. If acceptable, disable authentication as anti-replay check is tied with authentication or disable QOS for the IPSec traffic on the encrypting or intermediate routers.
2. Upgrade to the latest IOS version which handles these situations more effectively. The IOS Version 12.3(14) will allow user to either disable anti-replay check or tune the size of the anti-replay window. For details see IPsec Antireplay Window Expansion and Disable Options
3. Lower the data rate or reduce the packet size, which do not require fragmentation, using the ip mtu and ip tcp adjust mss interface configuration commands. Please note that the MTU configuration need to be done on both ends of the conversation. Use the crypto ipsec fragmentation before-encryption command to enable IPSec pre-fragmentation on the encrypting router so that reassembly is not required at the decrypting router.
One of the above could be the reason/solution. But you may need to contact Cisco for support is the problem remain unsolved.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...