Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replay check failed message

I am seeing occational syslogs of these type on a 1711 router running IPSec:

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=3, sequence number=0

Does this mean that an ESP packet was seen with a sequence number of 0? What exactly does the connection id refer to?

Cisco Employee

Re: Replay check failed message

The error %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection

means that packet got discarded due to anti-replay check. It means that you are having out-of-order packets. This could

cause packet retransmission.

There are 3 possible triggering conditions for this error to occur and they are outlined here:

1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This is typically a result of QoS configuration on the encrypting router.

2. The IPSec packets received by the decrypting router are out of order due to packet reordering at an intermediate device (ISP issue, and the most common).

3. The received IPSec packet is fragmented and requires reassembly before authentication verification and decryption. Since the reassembly process is taking place at the process

level, it's possible that by the time the large packet is reassembled, 64 smaller packets have already been processed by the

crypto engine, thus causing the large packet to miss the anti-replay window.

Now to avoid these error messages we need to increase the window size or disable anti-replay check in case the packets are arriving out of order. In case of fragmentation it will be

better to avoid fragmentation by using lower mtu value or fragmentation before encryption.

The easiest way to try and solve this issue is by disabling authentication on phase II. This means to get rid of the modifier 'esp-sha-hmac' or 'esp-md5-hmac' configured on the

transform set. This will need to be done also on the remote peer involved in this tunnel. Take in mind that this won't affect the encryption of the traffic, it will only instruct the router not to check that the trafficis arriving in the correct order.

Another option: there is a new feature added to 12.3(14)T and is also available in 12.4T train.

Please review the url below for further details.

Section: IPsec Antireplay Window Expansion and Disable Options

Hope this helps.