topic ASA 5510 anti-replay window for vpn in Network Security

ASA 5510 anti-replay window for vpn

Balakumaresan Saravanan — Mon, 11 Mar 2019 21:10:41 GMT

Hi all,

Can you anyone tell me the command to view current anti-reply window size in ASA 5510?

ASA 5510 anti-replay window for vpn

varrao — Fri, 12 Aug 2011 06:47:02 GMT

Hi Bala,

The command should be "show cryoto ipsec sa" on the ASA and the command to set the value is "set security-association replay window-size " , try it and let me know how it goes.

HTH,

Varun

ASA 5510 anti-replay window for vpn

Balakumaresan Saravanan — Fri, 12 Aug 2011 07:07:50 GMT

Varun,

We couldnt able find window size in that command. i have copied output command here. This is very critical we need to change the window size but before that we want to see the current window size also we are running two tunnels on ASA 5510. Is it possible to change window size for single tunnel or we can change it globally? reply asap. kindly do the needful.

thanks.

inbound esp sas:

spi: 0x916B73A3 (2439738275)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 163840, crypto-map: VPN

sa timing: remaining key lifetime (kB/sec): (3518375/2528)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x635F2042 (1667178562)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 163840, crypto-map: VPN

sa timing: remaining key lifetime (kB/sec): (3549940/2528)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000000 0x00000000 0x00000001

0x00000000 0x00000000 0x00000000 0x00000000

Re: ASA 5510 anti-replay window for vpn

varrao — Fri, 12 Aug 2011 07:44:35 GMT

You should be able to see it in "show run crypto" command, something like this:

crypto map YNRCPHV02 10 ipsec-isakmp 
 set peer 172.18.100.101
 set security-association replay window-size 256  set transform-set myset 
 match address asa5510

Thanks,
Varun

Re: ASA 5510 anti-replay window for vpn

varrao — Fri, 12 Aug 2011 07:57:33 GMT

This should also help:

show run crypto | in replay

Thanks,

Varun

ASA 5510 anti-replay window for vpn

Balakumaresan Saravanan — Fri, 12 Aug 2011 08:12:31 GMT

Thanks varun, Now its coming, thanks for your help.

ASA 5510 anti-replay window for vpn

varrao — Fri, 12 Aug 2011 08:15:18 GMT

No issues, glad I could help.

-Varun

ASA 5510 anti-replay window for vpn

Sanjay Shaw — Sun, 10 Feb 2013 01:41:10 GMT

Hi am too getting the messageon my router:

CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=407, sequence number=455744

To resolve this I have tried to put the command at remote end node:

crypto ipsec security-association replay window-size 1024....but no sucess.

Please let me whether both end require the same replay window-size.Present local node has no setting this mean it is default 64 byte. Any1 help will be appreciable.