cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5446
Views
5
Helpful
5
Replies

Can we disable anti replay check on ASA 9.0(4)23 per crypto map?

slicerpro
Level 1
Level 1

My client's firewall is logging and dropping ipsec packets because they fail anti-replay check. I've seen elsewhere that you can disable the check globally. I have also seen that it is possible to disable the check per crypto map on IOS, but haven't seen anything like that for ASA. Is there a way to achieve that? here is one example of what we are getting:

Jan 23 2017 16:46:39: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0xA7F7BAD8, sequence number= 0x164293) from XX.XX.123.177 (user= XX.XX.123.177) to XX.XX.146.188 that failed anti-replay checking

1 Accepted Solution

Accepted Solutions

Not on the ASA as far as I remember. You can only disable it globally on the ASA.

View solution in original post

5 Replies 5

Farhan Mohamed
Cisco Employee
Cisco Employee

Please find the required information in the link below it will help you to solve the problem:-

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

Thanks for the response Farhan, I'm looking to disable the anti-replay check only on a  crypto map(not global) for the ASA FW. The link you gave above above seems to be applicable only to IOS. Is there any other resource you can recommend?

Not on the ASA as far as I remember. You can only disable it globally on the ASA.

Yea, that is more in line with what I've unearthed in my research as well.

disabling per crypto map is supported in IOS but on the ASA, the disablement it is global.

Review Cisco Networking for a $25 gift card