Showing results for 
Search instead for 
Did you mean: 

The %VPN-SM-4-ICPUPP9 error message appears in the logs of a Cisco Catalyst 6500 switch that runs Cisco IOS Software


Core issue

The %VPN-SM-4-ICPUPP9 error occurs because IP Security (IPSec) packets fail the anti-replay check. The IPsec packets fails the anti replay checks because the packet does not fit into the 64-packet anti-replay window. A sliding window performs the anti-replay check to prevent replay attacks.

The most common cause is the use of Quality of Service (QoS) in the network. QoS causes some packets to be prioritized over others. As a result, some packets arrive late, and are out of window. Usually, this delay does not impact the functionality, because higher level protocols take care of retransmission. The most apparent impact of this problem is choppy voice output if some voice packets are dropped.


Currently, the only workaround is to stop authentication on the IPsec packets by removing the Hash-Based Message Authentication Code (HMAC) function from the IPsec transform set to disable anti-replay checks.

Note: Removing Hash-Based Message Authentication code(HMAC) function will result in highly degraded security.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards