Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
4
Helpful
1
Replies

Error message

Ahmede
Level 1
Level 1

‎11-20-2006 01:02 PM - edited ‎03-09-2019 04:55 PM

Does anyone know what this error message means?

%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 97, pool offset 0

I searched Cisco web site and that what I got

%C1700_EM-1-ERROR : [chars]

Explanation An error has occurred in an application using the VPN module.

Recommended Action Copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.

Thanks in advance

Labels:
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎11-21-2006 01:22 AM

Cisco explanation based on the error is as follow:

%C1700_EM-1-ERROR: [chars] An error has occurred in an application using the

VPN module.

Explanation: This error message occurs when a packet is received out-of-sequence

at tunnel receiver. To protect against packet replay, a 64 size (default) window

is maintained at the tunnel receiver to detect any out-of-sequence packet reception.

This is also called anti-replay check.

The anti-replay/sequence failure can occur in the following conditions:

1. IPSec implementation with anti-replay (ie if authentication is configured) and QoS configured. Anti-replay check in IPSec want packets to be in sequence but QoS, which gets applied after IPSec encryption, would re-order the packet depending on packet priority.

2. Packet fragmentation and packets taking different switching path within the router could be other source for packet re-ordering and such anti-replay drops. Such sequence failures and anti-replay drops is sometime normal.

3. When data passes at a high rate and the received IPSec packet is fragmented and requires reassembly before authentication verification and decryption.

Recommended Action:

1. If acceptable, disable authentication as anti-replay check is tied with authentication or disable QOS for the IPSec traffic on the encrypting or intermediate routers.

2. Upgrade to the latest IOS version which handles these situations more effectively. The IOS Version 12.3(14) will allow user to either disable anti-replay check or tune the size of the anti-replay window. For details see IPsec Antireplay Window Expansion and Disable Options

3. Lower the data rate or reduce the packet size, which do not require fragmentation, using the ip mtu and ip tcp adjust mss interface configuration commands. Please note that the MTU configuration need to be done on both ends of the conversation. Use the crypto ipsec fragmentation before-encryption command to enable IPSec pre-fragmentation on the encrypting router so that reassembly is not required at the decrypting router.

One of the above could be the reason/solution. But you may need to contact Cisco for support is the problem remain unsolved.

HTH

AK

Customers Also Viewed These Support Documents