Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
1
Replies

Disable Replay Protection on Viptela via CLI or vManage

jeffhcf
Level 1
Level 1

‎10-04-2022 10:48 AM

Hello!

I am working with one of our administrators that controls the Cisco Viptela infrastructure. We are following a vendor's configuration recommendation and are seeing a discrepancy between what options we have in vMange (or even the CLI) and what the vendor has in their sample configuration.

The vendor's configuration recommends using a "SIG [Secure Internet Gateway] Template" on vManage:

 

Tunnel Type										IPsec
Interface Name (1..255)							Global
Description										IP
Tunnel Source IP Address						Device-Specific
IPv4 addresses									Device-Specific
Tunnel Route-via Interface						Device-Specific
Tunnel Destination IP Address/FQDN(Ipsec)		Device-Specific
Preshared key									Device-Specific
IPsec Rekey Interval (under advanced options)	Default
IPsec Replay Window								Default
IPSec Cipher Suite								Global (AES 256 CBC SHA 256)
Perfect Forward Secrecy							Global (Group-14 2048-bit modulus)

 

They also require anti-replay protection is disabled and recommends using a "non-default feature template" to accomplish this:

 

crypto ipsec profile {{ipsec_profile_name}}
no set security-association replay window-size 512
set security-association replay disable

crypto ikev2 profile {{ikev2_profile_name}}
identity local key-id {{ipsec-key-id}}

 

The vendor says they tested with 20.6.2/17.6.2

We do not seem to have an option to disable the anti-replay protection - only the option to modify the window-size in both vManage and the CLI.

I'm not sure which version of vManage we're running, but it's newer than 20.6.2 but I do know we're running 17.6.4.

Any thoughts on why it's not possible to configure this? Is it possible that it's a hidden command? I think we tried issuing the command from the CLI and it wasn't accepted.

Thanks in advance!

0 Helpful
1 Reply 1

jeffhcf
Level 1
Level 1

‎10-04-2022 11:22 AM

Just to add - I was able to find out a bit more information from the vendor. They said that both a SIG Template and a Non-Standard Template are required to achieve the configuration requirements and the option to disable replay protection was a hidden command that needed to be applied in the Non-Standard Template.

set security-association replay disable

Is there someone that can confirm this?

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card