11-18-2011 02:00 PM
Hey there,
Does anyone know why the ASA is reporting this error message?
nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x (user= bedam) to 10.x.x.x that failed anti-replay checking.
and
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 1423604979 Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x , QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x , Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 1423604979
11-22-2011 05:49 AM
Hello Russell,
The first error:
nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x (user= bedam) to 10.x.x.x that failed anti-replay checking.
indicates that anti-replay check on received IPSec packets failed. This message is displayed when an IPSec packet is received with an invalid sequence number. The peer is sending packets containing sequence numbers that may have been previously used. This system log message indicates that an IPSec packet has been received with a sequence number outside of the acceptable window.
These Anti-Reply errors could be because far end of the tunnel is doing QoS or due to per-packet load sharing on the path where tunnel goes.
We can increase the anti reply window with the command: crypto ipsec security-association replay window-size 1024
The second error:
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!
indicates a phase2 mismatch, eg. pfs being enabled on one side and disabled on the remote end.
Warm Regards,
Rose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide