Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Single subnet fails VPN connection

We have a cisco 2811 series router set up with a VPN tunnel to a remote site.

We are passing traffic on several subnets with one signe subnet the bulk of the traffic.

Before there was a 3005 VPN concentrator in place of the router and there was not this problem.

The problem is that sometime, the subnet with the most traffic looses connectivity.

All other subnets pass traffic fine.

It takes a router reload to re-establish connection.

I can see some errors in the log, but there doesn't seem to be anything at the time the drop out occurs.

As I said, it never happened on the concentrator even though it was bogged down with all of the traffic.

Any thoughts out there?

*Sep 11 12:40:04.413: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=268447089

*Oct 19 01:39:48.398: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet ha

s invalid spi for

destaddr=, prot=50, spi=0x57DB4666(1473988198), srcaddr=216


*Oct 19 08:18:41.796: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=268445591

*Oct 19 08:49:22.648: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=268445601

Sungard_VPN_Router# term mon

New Member

Re: Single subnet fails VPN connection

"%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=#." This error is a result of reordering in transmission medium (especially if parallel paths exist), or unequal paths of packet processing inside Cisco IOS for large versus small packets plus under load. Change the transform-set to reflect this. The reply check is only seen when transform-set esp-md5-hmac is enabled. In order to surpress this error message, disable esp-md5-hmac and do encryption only

Try this : dissable ip Cef and Reduce the MTU

Try this link: