ASA 5510 anti-replay window for vpn

Balakumaresan Saravanan · ‎08-11-2011

Hi all,

Can you anyone tell me the command to view current anti-reply window size in ASA 5510?

varrao · ‎08-11-2011

Hi Bala,

The command should be "show cryoto ipsec sa" on the ASA and the command to set the value is "set security-association replay window-size " , try it and let me know how it goes.

HTH,

Varun

Thanks,
Varun Rao

Balakumaresan Saravanan · ‎08-12-2011

Varun,

We couldnt able find window size in that command. i have copied output command here. This is very critical we need to change the window size but before that we want to see the current window size also we are running two tunnels on ASA 5510. Is it possible to change window size for single tunnel or we can change it globally? reply asap. kindly do the needful.

thanks.

inbound esp sas:

spi: 0x916B73A3 (2439738275)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 163840, crypto-map: VPN

sa timing: remaining key lifetime (kB/sec): (3518375/2528)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x635F2042 (1667178562)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 163840, crypto-map: VPN

sa timing: remaining key lifetime (kB/sec): (3549940/2528)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000000 0x00000000 0x00000001

0x00000000 0x00000000 0x00000000 0x00000000

varrao · ‎08-12-2011

You should be able to see it in "show run crypto" command, something like this:

crypto map YNRCPHV02 10 ipsec-isakmp 
 set peer 172.18.100.101
 set security-association replay window-size 256  set transform-set myset 
 match address asa5510

Thanks,
Varun

Thanks,
Varun Rao

varrao · ‎08-12-2011

This should also help:

show run crypto | in replay

Thanks,

Varun

Thanks,
Varun Rao

Balakumaresan Saravanan · ‎08-12-2011

Thanks varun, Now its coming, thanks for your help.

varrao · ‎08-12-2011

No issues, glad I could help.

-Varun

Thanks,
Varun Rao

Sanjay Shaw · ‎02-09-2013

Hi am too getting the messageon my router:

CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=407, sequence number=455744

To resolve this I have tried to put the command at remote end node:

crypto ipsec security-association replay window-size 1024....but no sucess.

Please let me whether both end require the same replay window-size.Present local node has no setting this mean it is default 64 byte. Any1 help will be appreciable.