Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11554
Views
0
Helpful
1
Replies

ASA error messages

Russell Pearson
Level 1
Level 1

‎11-18-2011 02:00 PM

Hey there,

Does anyone know why the ASA is reporting this error message?

nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x  (user= bedam) to 10.x.x.x that failed anti-replay checking.

and

Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!

Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 1423604979 Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x , QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x , Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 1423604979

Labels:
0 Helpful
1 Reply 1

Rozsa Illes
Cisco Employee
Cisco Employee

‎11-22-2011 05:49 AM

Hello Russell,

The first error:

nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x  (user= bedam) to 10.x.x.x that failed anti-replay checking.

indicates that anti-replay check on received IPSec packets failed. This message is displayed when an IPSec packet is received with an invalid sequence number. The peer is sending packets containing sequence numbers that may have been previously used. This system log message indicates that an IPSec packet has been received with a sequence number outside of the acceptable window.

These Anti-Reply errors could be because far end of the tunnel is doing QoS or due to per-packet load sharing on the path where tunnel goes. 

We can increase the anti reply window with the command: crypto ipsec security-association replay window-size 1024

The second error:

Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!

indicates a phase2 mismatch, eg. pfs being enabled on one side and disabled on the remote end.

Warm Regards,

Rose

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents