topic ESP Sequence Number Error in Network Security https://community.cisco.com/t5/network-security/esp-sequence-number-error/m-p/1281028#M949037 <P>I have a site to site IPSec VPN setup to a Cisco 1711 router, and am getting occasional error messages of this type:</P><P></P><P>%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 60, pool offset 0</P><P></P><P>This appears to be caused by the router seeing a sequence number in the ESP header it doesn't like, which I think happens occasionally because we have low phase 1 and 2 timers (300 seconds). </P><P></P><P>I tried to turn off the anti-replay service to see if this would cause the messages to stop, but the IOS version I have doesn't appear to allow that. The version is Version 12.3(11)T11.</P><P></P><P>Any ideas on how I could get these messages to cease?</P><P></P> Fri, 21 Feb 2020 11:40:38 GMT inoc_noc 2020-02-21T11:40:38Z ESP Sequence Number Error https://community.cisco.com/t5/network-security/esp-sequence-number-error/m-p/1281028#M949037 <P>I have a site to site IPSec VPN setup to a Cisco 1711 router, and am getting occasional error messages of this type:</P><P></P><P>%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 60, pool offset 0</P><P></P><P>This appears to be caused by the router seeing a sequence number in the ESP header it doesn't like, which I think happens occasionally because we have low phase 1 and 2 timers (300 seconds). </P><P></P><P>I tried to turn off the anti-replay service to see if this would cause the messages to stop, but the IOS version I have doesn't appear to allow that. The version is Version 12.3(11)T11.</P><P></P><P>Any ideas on how I could get these messages to cease?</P><P></P> Fri, 21 Feb 2020 11:40:38 GMT https://community.cisco.com/t5/network-security/esp-sequence-number-error/m-p/1281028#M949037 inoc_noc 2020-02-21T11:40:38Z Re: ESP Sequence Number Error https://community.cisco.com/t5/network-security/esp-sequence-number-error/m-p/1281029#M949042 <HTML><HEAD></HEAD><BODY><P>The error message usually indicates the following three possible conditions:</P><P></P><P>1) The IPSec encrypted packets are forwarded out of order by the encrypting router. </P><P>2. The IPSec packets received by the decrypting router are out of order due to packet</P><P>reordering at an intermediate device.</P><P>3. The received IPSec packet is fragmented and requires reassembly before authentication</P><P>verification and decryption.</P><P></P><P>This problem can usually be resolved by decreasing the TCP mss on the outgoing interface of the router by the following command:</P><P></P><P>interface outgoing-interface</P><P>ip tcp adjust-mss 1350</P><P></P><P>Before you make this change, Please clear all you tunnel with the following command:</P><P>clear crypto sa</P><P>clear crypto isakmp </P><P></P></BODY></HTML> Tue, 22 Sep 2009 14:24:04 GMT https://community.cisco.com/t5/network-security/esp-sequence-number-error/m-p/1281029#M949042 vkapoor5 2009-09-22T14:24:04Z