Core issue
This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order.
These are the reasons for this message:
- Fragmentation. Fragmented crypto packets are process switched. This forces the fast-switched packets to be sent to the VPN card ahead of the process-switched packets. If enough fast-switched packets are processed ahead of the process-switched packets, the ESP or AH sequence number for the process-switched packet will get stale, and when the packet arrives at the VPN card, it's sequence number is outside of the replay window. This causes either the AH or ESP sequence number errors, depending on which encapsulation you are using.
- Stale cache entries. This instance can also occur when a fast-switch cache entry gets stale, and the first packet with a cache miss gets process switched.
Resolution
Verify the cause of the problem by disabling the cef switching by issuing these commands:
(conf)# no ip cef
(conf-if)# no ip route-cache
(conf-if# no ip mroute-cache
For a workaround, issue these commands:
change tcp adjust-mss on interfaces
change crypto ipsec df-bit
Refer tcp mss adjustment for more details
Note: Unless the message disrupts the VPN traffic, it can be ignored.
Cisco IOS Software Version
12.4
