I have a site to site IPSec VPN setup to a Cisco 1711 router, and am getting occasional error messages of this type:
%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 60, pool offset 0
This appears to be caused by the router seeing a sequence number in the ESP header it doesn't like, which I think happens occasionally because we have low phase 1 and 2 timers (300 seconds).
I tried to turn off the anti-replay service to see if this would cause the messages to stop, but the IOS version I have doesn't appear to allow that. The version is Version 12.3(11)T11.
Any ideas on how I could get these messages to cease?
The error message usually indicates the following three possible conditions:
1) The IPSec encrypted packets are forwarded out of order by the encrypting router.
2. The IPSec packets received by the decrypting router are out of order due to packet
reordering at an intermediate device.
3. The received IPSec packet is fragmented and requires reassembly before authentication
verification and decryption.
This problem can usually be resolved by decreasing the TCP mss on the outgoing interface of the router by the following command:
ip tcp adjust-mss 1350
Before you make this change, Please clear all you tunnel with the following command:
clear crypto sa
clear crypto isakmp
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: