Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5394
Views
0
Helpful
1
Replies

ESP Sequence Number Error

inoc_noc
Level 1
Level 1

‎09-16-2009 07:28 AM - edited ‎02-21-2020 03:40 AM

I have a site to site IPSec VPN setup to a Cisco 1711 router, and am getting occasional error messages of this type:

%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 60, pool offset 0

This appears to be caused by the router seeing a sequence number in the ESP header it doesn't like, which I think happens occasionally because we have low phase 1 and 2 timers (300 seconds).

I tried to turn off the anti-replay service to see if this would cause the messages to stop, but the IOS version I have doesn't appear to allow that. The version is Version 12.3(11)T11.

Any ideas on how I could get these messages to cease?

0 Helpful
1 Reply 1

vkapoor5
Level 5
Level 5

‎09-22-2009 07:24 AM

The error message usually indicates the following three possible conditions:

1) The IPSec encrypted packets are forwarded out of order by the encrypting router.

2. The IPSec packets received by the decrypting router are out of order due to packet

reordering at an intermediate device.

3. The received IPSec packet is fragmented and requires reassembly before authentication

verification and decryption.

This problem can usually be resolved by decreasing the TCP mss on the outgoing interface of the router by the following command:

interface outgoing-interface

ip tcp adjust-mss 1350

Before you make this change, Please clear all you tunnel with the following command:

clear crypto sa

clear crypto isakmp

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card