Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

%CRYPTO-4-PKT_REPLAY_ERR:

I have been seeing the following error message in the logs for a few days now.

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=4587, sequence number=17094

I managed to track down the connection id:4587 and I can see the peer IP with the actual recv errors. There is no issues with the VPN itself, traffic is working fine.

I have tried to increase the actual window size under the specific crypto map for that particular peer and it makes no difference. Even cleared the sa after applying the changes.

crypto map xxxxxxxxx 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

security-association replay window-size 1024


Have increased the replay window globally to 1024 however the errors keep appearing.

crypto ipsec security-association replay window-size 1024

Has anyone actually disabled the replay window checking? did it impact anything?

crypto ipsec security-association replay disable

no crypto ipsec security-association replay window-size 1024

does it actually stop the replay_errors?

or to stop these errors do you need to change the hash algorithm from sha instead of md5?


216
Views
0
Helpful
0
Replies