Cisco Support Community
Community Member

IPSec Anti-Replay Window Size

I and occasionally getting the following message

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

I know that I can change my anti-replay window size but don't know that reasonable numbers or what impact on resource will result by upping the windows. VoIP generates lots of packets so I am guessing the window size might need to be larger rather than smaller Any suggestions

Remote sites - Cisco 2801 w/ 64/256Mb

Head-End - Cisco 3845 w/ 64/256Mb


Re: IPSec Anti-Replay Window Size


I wouldnt think expanding the window size will have any significant impact on resources. The only resource impacted is memory, since it'll have to remember a larger range of sequence numbers; but I dont think this is a large impact.

You cn go from the default 64 to say 200 if that makes any diff, and increase further.

If your underlying n/w has re-ordering/drop issues due to multiple paths (or LLQ for voip), then increasing the window size will postpone replay error drops. If at 200, you still have drops - say the low priority is still getting dropped, you will have to increase the window further.

bottomline is, there is no recommended value as such. Will be a trial-error, based on the particular n/w scenario,

Hope this helps.



Community Member

Re: IPSec Anti-Replay Window Size

Thanks! As a window size increase I would not think that it would have much impact but...

CreatePlease to create content