Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1777, sequence number=161369

I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers.  Each of the spokes is connected to the 3945's over VTI tunnels three and four.  We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel.  This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.

I'm needing to understand how to reduce or completely eliminate the replay errors.  I've read something about increasing the replay window size, but don't have a clue where to start.  What is the best way to fix this without disabling replay checking?  Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?

Thanks in advance!

Paul WIshart

  • VPN
New Member

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connectio

Hi Paul - I am facing the same issue with exactly the same setup. Just wondering if you ever found a resolution?

New Member

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connectio


I don't have a resolution yet, so I opened a TAC case last Saturday.  I'll keep you posted on this forum.

New Member

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connectio

Thanks Paul. I will do the same if I am able to sort through it.

This widget could not be displayed.