cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
332
Views
0
Helpful
1
Replies

PIX fail antireplay check

mcordiez
Level 1
Level 1

Has anyone run into a PIX reporting back a large number of these errors which show up as recv errors in a "sho crypto ipsec sa"?

Debug message:

IPSEC(cipher_ipsec_request): decap failed for 24.x.x.x -> 64.x.x.x IPSEC(sw_esp_decap): fail antireplay check

The site where these errors appear (about 10% of all packets) has a 506 v6.3.5 and the other end is a 515 v7.0.4. 12 other sites run the exact same configuration (506, 6.3.5 & config) as the problem site and none show this problem.

There is little documentation on this error message. IOS allows you to modify the anti-replay window but not the PIX. Assuming this is probably not a real replay attack - could this be an issue with the ISP screwing-up the order of the packets inbound? Or somehow delaying 10% of the packets to the 506? Any ideas?

1 Reply 1

michelcaissie
Level 1
Level 1

Unfortunately i don't have an answer , but i have a similar problem. The only difference is that i have a PIX 520 6.3(5) instead of a PIX 515 , and a dozen of remote sites with PIX 506 6.3(5) . The problem occurs only with one site though the errors are much lower, around .02% . VPN with this site has been running the last 4 years and i only notice this error last December . I posted a message on comp.dcom.sys.cisco but got no answers .

I'll let you know if i ever find something...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: