cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
940
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

The %VPN-SM-4-ICPUPP9 error occurs because IP Security (IPSec) packets fail the anti-replay check. The IPsec packets fails the anti replay checks because the packet does not fit into the 64-packet anti-replay window. A sliding window performs the anti-replay check to prevent replay attacks.

The most common cause is the use of Quality of Service (QoS) in the network. QoS causes some packets to be prioritized over others. As a result, some packets arrive late, and are out of window. Usually, this delay does not impact the functionality, because higher level protocols take care of retransmission. The most apparent impact of this problem is choppy voice output if some voice packets are dropped.

Resolution

Currently, the only workaround is to stop authentication on the IPsec packets by removing the Hash-Based Message Authentication Code (HMAC) function from the IPsec transform set to disable anti-replay checks.

Note: Removing Hash-Based Message Authentication code(HMAC) function will result in highly degraded security.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card