Core issue
This issue is documented in Cisco bug ID CSCeg43855
A router that encrypts packets can send locally-originated traffic out of order after the packets are encrypted. Locally-originated traffic includes keepalive packets and routing updates. This scenario results in the failure of anti-replay checks.
Anti-replay is a security service in which the receiver can reject old or duplicate packets in order to protect itself against replay attacks.
In this case, anti-replay check failure causes the recipient router to drop packets that are out of order. This problem occurs when a multipoint GRE (mGRE) and IPSec tunnel is built between two routers.
On a Cisco 7200 series router that is the receiver, the output of the show crypto ipsec sa detail command or the show pas isa interface command indicates this problem.
Resolution
For a workaround, turn off packet authentication for the configured IPSec transform set.
As an alternative, upgrade to any of these versions. Refer to Software Center: Cisco IOS Software:
- 12.4(2.3)
- 12.4(2.9)T
- 12.3(14)T03
- 12.3(11)T07
- 12.4(2)T01
- 12.3(8)T10
- 12.4(01b)
Frequency
Continuously
Error
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
VPN Tunnel End Points
Any end point
Router
Protocol / Ports
Generic routing encapsulation (GRE)
VPN Protocols
IPSec