Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
1
Replies

Replay window size and Extended Anti replay what are best practices

csco10260962
Level 1
Level 1

‎02-24-2025 04:04 AM - edited ‎02-24-2025 04:19 AM

In security feature template Replay window size and Extended Anti replay what are best practices  ?

Should only one be used or both ? What are best practices. We are using normal QOS settings (not per tunnel or per vpn qos).

In logging we saw a lot of replay hmac errors. And show crypto ipsec peer x.x.x.x platform did not show window size that was configured under the feature template. Are they mutally exculsive or can they both be on at the same time ?

Labels:
0 Helpful
1 Reply 1

AshSe
VIP
VIP

‎02-28-2025 02:23 AM

@csco10260962 

@csco10260962 wrote:

In security feature template Replay window size and Extended Anti replay what are best practices  ?

Should only one be used or both ? What are best practices. We are using normal QOS settings (not per tunnel or per vpn qos).

To directly address your question: Both features can be used together, but enabling Extended Anti-Replay is generally sufficient and recommended in most cases, especially in networks with normal QoS settings.

Best practices (normal QoS settings):

  1. Enable extended Anti-replay
  2. Monitor replay HMAC errors.
  3. Avoid configuring both features simultaneously.
  4. Use Replay WIndow size only if Anti-Replay is not configured

HTH

AshSe

0 Helpful
Customers Also Viewed These Support Documents