%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1777, sequence number=161369

Paul Wishart · ‎10-14-2013

I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers. Each of the spokes is connected to the 3945's over VTI tunnels three and four. We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel. This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.

I'm needing to understand how to reduce or completely eliminate the replay errors. I've read something about increasing the replay window size, but don't have a clue where to start. What is the best way to fix this without disabling replay checking? Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?

Thanks in advance!

Paul WIshart

adamtodd16 · ‎10-29-2013

Hi Paul - I am facing the same issue with exactly the same setup. Just wondering if you ever found a resolution?

Paul Wishart · ‎10-29-2013

Adam,

I don't have a resolution yet, so I opened a TAC case last Saturday. I'll keep you posted on this forum.

adamtodd16 · ‎10-29-2013

Thanks Paul. I will do the same if I am able to sort through it.