Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX fail antireplay check

Has anyone run into a PIX reporting back a large number of these errors which show up as recv errors in a "sho crypto ipsec sa"?

Debug message:

IPSEC(cipher_ipsec_request): decap failed for 24.x.x.x -> 64.x.x.x IPSEC(sw_esp_decap): fail antireplay check

The site where these errors appear (about 10% of all packets) has a 506 v6.3.5 and the other end is a 515 v7.0.4. 12 other sites run the exact same configuration (506, 6.3.5 & config) as the problem site and none show this problem.

There is little documentation on this error message. IOS allows you to modify the anti-replay window but not the PIX. Assuming this is probably not a real replay attack - could this be an issue with the ISP screwing-up the order of the packets inbound? Or somehow delaying 10% of the packets to the 506? Any ideas?

1 REPLY
New Member

Re: PIX fail antireplay check

Unfortunately i don't have an answer , but i have a similar problem. The only difference is that i have a PIX 520 6.3(5) instead of a PIX 515 , and a dozen of remote sites with PIX 506 6.3(5) . The problem occurs only with one site though the errors are much lower, around .02% . VPN with this site has been running the last 4 years and i only notice this error last December . I posted a message on comp.dcom.sys.cisco but got no answers .

I'll let you know if i ever find something...

172
Views
0
Helpful
1
Replies
CreatePlease to create content