https://community.cisco.com/t5/network-security/cisco-asa-5510-anti-replay-checking/m-p/865032#M960256 <HTML><HEAD></HEAD><BODY><P>There are 3 possible situations that can trigger this error and they are here:</P><P>1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This</P><P>is typically a result of QoS configuration on the encrypting router. This is why you may</P><P>contact your peer administrator to make sure if they are using Q0S or not, and also to see</P><P>if they are sneding the packets out of order or they are getting disordered in the path</P><P>between the peer and your ASA.</P><P></P><P>2. The IPSec packets received by the decrypting router are out of order due to packet</P><P>reordering at an intermediate device.</P><P></P><P>3. The received IPSec packet is fragmented and requires reassembly before authentication</P><P>verification and decryption. Since the reassembly process is taking place at the process</P><P>level, it's possible that the by the time the large packet is reassembled, 64 smaller</P><P>packets have already been processed by the crypto engine, thus causing the large packet to</P><P>miss the anti-replay window.</P><P></P><P>I hope you are in sync with me until this point. Now, to avoid these error messages we</P><P>need to disable anti-replay check in case the packets are arriving</P><P>out of order. In the ASA platfomr, this can opnly be done by disabling authentciation for</P><P>this peer. This means that you have to disable authentication on the transform-set used</P><P>for this peer. For example, if you were previously using 3des for ecnryption and md5 for</P><P>authentication, then you have to use this new tranfomr set for this peer:</P><P></P><P>crypto ipsec transform-set TEST esp-3des</P><P></P><P>Instead of: crypto ipsec transform-set TEST esp-3des esp-md5-hmac</P><P></P><P>In case of fragmentation it will be better to avoid fragmentation by using lower mtu value or fragmentation before encryption.</P><P></P></BODY></HTML> Tue, 27 Nov 2007 20:51:40 GMT ebreniz 2007-11-27T20:51:40Z https://community.cisco.com/t5/network-security/cisco-asa-5510-anti-replay-checking/m-p/865031#M960255 <P>Greetings,</P><P></P><P>My logs on my ASA are screaming with error 402119, which corresponds with ESP packets failing anti-replay checking. It's only for two different users, but when it happens, it happens about 75 errors right in a row in my logs. I know in IOS you can adjust the window size for replay checking or just disable it altogether using the set security-association replay command set, but my research shows no means of doing this with ASA or the PIX. I'd really like these errors to go away. Help?</P><P></P><P>Thanks!</P><P></P><P>Grant</P> Mon, 11 Mar 2019 11:33:52 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-anti-replay-checking/m-p/865031#M960255 gdawsont2systems 2019-03-11T11:33:52Z https://community.cisco.com/t5/network-security/cisco-asa-5510-anti-replay-checking/m-p/865032#M960256 <HTML><HEAD></HEAD><BODY><P>There are 3 possible situations that can trigger this error and they are here:</P><P>1. The IPSec encrypted packets are forwarded out of order by the encrypting router. This</P><P>is typically a result of QoS configuration on the encrypting router. This is why you may</P><P>contact your peer administrator to make sure if they are using Q0S or not, and also to see</P><P>if they are sneding the packets out of order or they are getting disordered in the path</P><P>between the peer and your ASA.</P><P></P><P>2. The IPSec packets received by the decrypting router are out of order due to packet</P><P>reordering at an intermediate device.</P><P></P><P>3. The received IPSec packet is fragmented and requires reassembly before authentication</P><P>verification and decryption. Since the reassembly process is taking place at the process</P><P>level, it's possible that the by the time the large packet is reassembled, 64 smaller</P><P>packets have already been processed by the crypto engine, thus causing the large packet to</P><P>miss the anti-replay window.</P><P></P><P>I hope you are in sync with me until this point. Now, to avoid these error messages we</P><P>need to disable anti-replay check in case the packets are arriving</P><P>out of order. In the ASA platfomr, this can opnly be done by disabling authentciation for</P><P>this peer. This means that you have to disable authentication on the transform-set used</P><P>for this peer. For example, if you were previously using 3des for ecnryption and md5 for</P><P>authentication, then you have to use this new tranfomr set for this peer:</P><P></P><P>crypto ipsec transform-set TEST esp-3des</P><P></P><P>Instead of: crypto ipsec transform-set TEST esp-3des esp-md5-hmac</P><P></P><P>In case of fragmentation it will be better to avoid fragmentation by using lower mtu value or fragmentation before encryption.</P><P></P></BODY></HTML> Tue, 27 Nov 2007 20:51:40 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-anti-replay-checking/m-p/865032#M960256 ebreniz 2007-11-27T20:51:40Z