cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
45447
Views
0
Helpful
2
Comments
TCC_2
Level 10
Level 10

Core issue

This issue is documented in Cisco bug ID CSCeg43855

A router that encrypts packets can send locally-originated traffic out of order after the packets are encrypted. Locally-originated traffic includes keepalive packets and routing updates. This scenario results in the failure of anti-replay checks.

Anti-replay is a security service in which the receiver can reject old or duplicate packets in order to protect itself against replay attacks.

In this case, anti-replay check failure causes the recipient router to drop packets that are out of order. This problem occurs when a multipoint GRE (mGRE) and IPSec tunnel is built between two routers.

On a Cisco 7200 series router that is the receiver, the output of the show crypto ipsec sa detail command or the show pas isa interface command indicates this problem.

Resolution

For a workaround, turn off packet authentication for the configured IPSec transform set.

As an alternative, upgrade to any of these versions. Refer to Software Center: Cisco IOS Software:

  • 12.4(2.3)

  • 12.4(2.9)T

  • 12.3(14)T03

  • 12.3(11)T07

  • 12.4(2)T01

  • 12.3(8)T10

  • 12.4(01b)

Frequency

Continuously

Error

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

VPN Tunnel End Points

Any end point

Router

Protocol / Ports

Generic routing encapsulation (GRE)

VPN Protocols

IPSec


Comments
Mark Mattix
Level 2
Level 2

If by experiencing this error, does it mean the replay check process is entirely not functioning? I'm wondering if I do disable the replay check settings on a VPN if it will make the link less secure? I believe this bug is causing a high cpu utilization so I'd like to resolve the issue but at the same time do not want to make my connection less secure.

Thanks, -Mark

johnnylingo
Level 5
Level 5

If I'm understanding this correctly, the high CPU is more a secondary symptom.  The real issue usually is an elephant flow that causes one side of the connection to expire the SA prematurely when traffic of 4608000 KB is exceeded.  The two sides then briefly are in disagreement on SA status.  

The first work-around is increase the replay window size beyond the default value of 64 Bytes.  

crypto ipsec security-association replay window-size 1024

Another is increase the SA lifetime via the in the crypto ipsec profile, or just disable it entirely.

Router(ipsec-profile)#set security-association lifetime kilobytes ?
<2560-4294967295> Security association duration in kilobytes encrypted
disable Disable Volume-based Rekey
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: