cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9195
Views
5
Helpful
7
Replies

ASA 5510 anti-replay window for vpn

Hi all,

Can you anyone tell me the command to view current anti-reply window size in ASA 5510?

7 Replies 7

varrao
Level 10
Level 10

Hi Bala,

The command should be "show cryoto ipsec sa" on the ASA and the command to set the value is "set security-association replay window-size " , try it and let me know how it goes.

HTH,

Varun

Thanks,
Varun Rao

Varun,

We couldnt able find window size in that command. i have copied output command here. This is very critical we need to change the window size but before that we want to see the current window size also we are running two tunnels on ASA 5510. Is it possible to change window size for single tunnel or we can change it globally?  reply asap. kindly do the needful.

thanks.

inbound esp sas:

  spi: 0x916B73A3 (2439738275)

     transform: esp-3des esp-sha-hmac no compression

     in use settings ={L2L, Tunnel, }

     slot: 0, conn_id: 163840, crypto-map: VPN

     sa timing: remaining key lifetime (kB/sec): (3518375/2528)

     IV size: 8 bytes

     replay detection support: Y

     Anti replay bitmap:

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

      0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

  spi: 0x635F2042 (1667178562)

     transform: esp-3des esp-sha-hmac no compression

     in use settings ={L2L, Tunnel, }

     slot: 0, conn_id: 163840, crypto-map: VPN

     sa timing: remaining key lifetime (kB/sec): (3549940/2528)

     IV size: 8 bytes

     replay detection support: Y

     Anti replay bitmap:

      0x00000000 0x00000000 0x00000000 0x00000001

      0x00000000 0x00000000 0x00000000 0x00000000

      0x00000000 0x00000000 0x00000000 0x00000000

      0x00000000 0x00000000 0x00000000 0x00000000

      0x00000000 0x00000000 0x00000000 0x00000000

      0x00000000 0x00000000 0x00000000 0x00000000

      0x00000000 0x00000000 0x00000000 0x00000000

      0x00000000 0x00000000 0x00000000 0x00000000

You should be able to see it in "show run crypto" command, something like this:

crypto map YNRCPHV02 10 ipsec-isakmp 
 set peer 172.18.100.101
 set security-association replay window-size 256  set transform-set myset 
 match address asa5510

Thanks,
Varun
Thanks,
Varun Rao

This should also help:

show run crypto | in replay

Thanks,

Varun

Thanks,
Varun Rao

Thanks varun, Now its coming, thanks for your help.

No issues, glad I could help.

-Varun

Thanks,
Varun Rao

Hi am too getting the messageon my router:

CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=407, sequence number=455744

To resolve this I have tried to put the command at remote end node:

crypto ipsec security-association replay window-size 1024....but no sucess.

Please let me whether both end require the same replay window-size.Present local node has no setting this mean it is default 64 byte. Any1 help will be appreciable.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: