Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7852
Views
0
Helpful
6
Replies

fix for this alert? %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x229, sequence number= 0x4A2) from (user= ) to that failed anti-replay checking.

vrian_colaba
Level 1
Level 1

‎09-02-2016 09:21 PM - edited ‎02-21-2020 05:54 AM

Hello,

Good Day! Just wanted to ask what is the fix for this alert? %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x229, sequence number= 0x4A2) from  (user= ) to  that failed anti-replay checking.

0 Helpful
6 Replies 6

JP Miranda Z
Cisco Employee
Cisco Employee

‎09-05-2016 06:29 PM

Hi vrian_colaba,

Most of the time that is not even a problem but just an alert, you can take a look to the following link to understand the anti replay check feature and the ways to troubleshoot it:

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

vrian_colaba
Level 1
Level 1
In response to JP Miranda Z

‎09-06-2016 06:41 PM

As per Cisco, we can adjust the window size to 1024. 

hostname(config)#crypto ipsec security-association replay window-size 1024
Note: Cisco recommends that you use the full 1024 window size to eliminate any anti-replay problems.

What will be the impact of using this command? Since we have many customers that are connected via the S2S VPN. If there is an issue after entering that command, how could I roll back to the default one?

Thank You.

vrian

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to vrian_colaba

‎09-06-2016 06:53 PM

Hi vrian_colaba,

There is not an impact after applying that command, that command is only going to increase the window size in order to avoid the messages on the logs, but if you have malformed packets or packets out of order in a considerable amount to believe this is an issue the Router is always going to keep showing the logs since this is an extra security feature. 

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

vrian_colaba
Level 1
Level 1
In response to JP Miranda Z

‎09-06-2016 08:20 PM

Hi JP Miranda Z,

Do we have specific command on the Cisco ASA in figuring out or check how much malformed packets or packets out of order in a considerable amount of time?

Thank You.

vrian

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to vrian_colaba

‎09-06-2016 08:41 PM

Hi vrian_colaba,

With the command show crypto ipsec sa detail you can see the amount of traffic passing through the tunnel and also the replay errors so you can compare this two outputs and have an idea of the percentage of replay check errors.

This is the must common reason:

-It is a packet that falls outside of the receiver's anti-replay window: In case the receiving IPSec endpoint drops the replayed packets (as it is supposed to), simultaneous sniffer captures on the WAN side of both the sender and receiver help track down if this is caused by misbehaviour of the sender, or by packets replayed in the transit network.

This is part of the documentation provided, you can take simultaneous captures on the ASA and the device at the other end from public to public ip, one again must of the time this requires a full packet analysis on the path. (ISP) 

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

vrian_colaba
Level 1
Level 1
In response to JP Miranda Z

‎11-16-2016 01:28 AM

I just configured this on our ASA crypto ipsec security-association replay window-size 1024 but after configuring it I'm still seeing a lot of alerts. Have an idea on what I can do next?

Thank you.

vrian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card