Solved: Not on the ASA as far as I

slicerpro · ‎01-25-2017

My client's firewall is logging and dropping ipsec packets because they fail anti-replay check. I've seen elsewhere that you can disable the check globally. I have also seen that it is possible to disable the check per crypto map on IOS, but haven't seen anything like that for ASA. Is there a way to achieve that? here is one example of what we are getting:

Jan 23 2017 16:46:39: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0xA7F7BAD8, sequence number= 0x164293) from XX.XX.123.177 (user= XX.XX.123.177) to XX.XX.146.188 that failed anti-replay checking

Rahul Govindan · ‎01-25-2017

Not on the ASA as far as I remember. You can only disable it globally on the ASA.

View solution in original post

Farhan Mohamed · ‎01-25-2017

Please find the required information in the link below it will help you to solve the problem:-

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

slicerpro · ‎01-25-2017

Thanks for the response Farhan, I'm looking to disable the anti-replay check only on a crypto map(not global) for the ASA FW. The link you gave above above seems to be applicable only to IOS. Is there any other resource you can recommend?

Rahul Govindan · ‎01-25-2017

Not on the ASA as far as I remember. You can only disable it globally on the ASA.

slicerpro · ‎02-01-2017

Yea, that is more in line with what I've unearthed in my research as well.

slicerpro · ‎02-01-2017

disabling per crypto map is supported in IOS but on the ASA, the disablement it is global.

Can we disable anti replay check on ASA 9.0(4)23 per crypto map?