nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x (user= bedam) to 10.x.x.x that failed anti-replay checking.
indicates that anti-replay check on received IPSec packets failed. This message is displayed when an IPSec packet is received with an invalid sequence number. The peer is sending packets containing sequence numbers that may have been previously used. This system log message indicates that an IPSec packet has been received with a sequence number outside of the acceptable window.
These Anti-Reply errors could be because far end of the tunnel is doing QoS or due to per-packet load sharing on the path where tunnel goes.
We can increase the anti reply window with the command: crypto ipsec security-association replay window-size 1024
The second error:
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!
indicates a phase2 mismatch, eg. pfs being enabled on one side and disabled on the remote end.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...