The error %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection
means that packet got discarded due to anti-replay check. It means that you are having out-of-order packets. This could
cause packet retransmission.
There are 3 possible triggering conditions for this error to occur and they are outlined here:
1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This is typically a result of QoS configuration on the encrypting router.
2. The IPSec packets received by the decrypting router are out of order due to packet reordering at an intermediate device (ISP issue, and the most common).
3. The received IPSec packet is fragmented and requires reassembly before authentication verification and decryption. Since the reassembly process is taking place at the process
level, it's possible that by the time the large packet is reassembled, 64 smaller packets have already been processed by the
crypto engine, thus causing the large packet to miss the anti-replay window.
Now to avoid these error messages we need to increase the window size or disable anti-replay check in case the packets are arriving out of order. In case of fragmentation it will be
better to avoid fragmentation by using lower mtu value or fragmentation before encryption.
The easiest way to try and solve this issue is by disabling authentication on phase II. This means to get rid of the modifier 'esp-sha-hmac' or 'esp-md5-hmac' configured on the
transform set. This will need to be done also on the remote peer involved in this tunnel. Take in mind that this won't affect the encryption of the traffic, it will only instruct the router not to check that the trafficis arriving in the correct order.
Another option: there is a new feature added to 12.3(14)T and is also available in 12.4T train.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...