Experiencing tunnel failures periodically and receiving these messages at the Head End Router in front of they Key Server roughly at the same time the remote router is dropping the tunnel.
%GDOI-3-REPLAY_FAILED: An anti replay check has failed in group gdoi-group. my_pseudotime is 184467440722644365.83 secs, peer_pseudotime is 184467440722644223.30 secs, replay_window is 5 (second)
The tunnel recovers itself within 10 - 15 minutes. Difficulty has been trying to catch the problem as it happens so I can gather more information. Logging messages aren't providing any more than the above.
Remote Router shows - nothing more than Tunnel recovered
Checking the System Messages, it says this is informational and no action is necessary. Yet in other searches I have found this may be due to;
- fragmentation (ruled this out)
- traffic load (not seeing anything that leads to this)
- too short a time replay windows (thinking this may be something to look into)
Before I changed the the anti-replay time window size on the key server I was looking for some advice;
1) Am I on the right path
2) Are there other steps to take to zero in on the problem as it's happening (hard to predict when and where - over 50 remote sites)
3) If I change the anti-replay time window size, will it disrupt communications to the remote sites when the new value is pushed out from the Key Server
Key Server Config for reference
crypto gdoi group gdoi-group identity number 1 server local rekey lifetime seconds 10800 rekey retransmit 10 number 2 rekey authentication mypubkey rsa xyzxyz rekey transport unicast sa ipsec 1 profile gdoi-profile match address ipv4 sa-acl replay time window-size 5 address ipv4 22.214.171.124
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...