Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA error messages

Hey there,

Does anyone know why the ASA is reporting this error message?

nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x  (user= bedam) to 10.x.x.x that failed anti-replay checking.

and

Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!

Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 1423604979 Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x , QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!
Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x , Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 1423604979

  • Remote Access
1 REPLY
Cisco Employee

ASA error messages

Hello Russell,

The first error:

nov 18 2011 13:36:01: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x1B86506B, sequence number= 0x28B) from 68.x.x.x  (user= bedam) to 10.x.x.x that failed anti-replay checking.

indicates that anti-replay check on received IPSec packets failed. This message is displayed when an IPSec packet is received with an invalid sequence number. The peer is sending packets containing sequence numbers that may have been previously used. This system log message indicates that an IPSec packet has been received with a sequence number outside of the acceptable window.

These Anti-Reply errors could be because far end of the tunnel is doing QoS or due to per-packet load sharing on the path where tunnel goes. 

We can increase the anti reply window with the command: crypto ipsec security-association replay window-size 1024

The second error:

Nov 18 2011 13:38:29: %ASA-3-713902: Group = X, Username = bedam, IP = 68.x.x.x, QM FSM error (P2 struct &0x775b88e8, mess id 0x54da7cf3)!

indicates a phase2 mismatch, eg. pfs being enabled on one side and disabled on the remote end.

Warm Regards,

Rose

9951
Views
0
Helpful
1
Replies
This widget could not be displayed.