03-19-2013 03:49 PM - edited 03-07-2019 12:21 PM
Hi,
We have a problem that the ASR1002 devices receives the following error message:
%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:105 TS:00023807958539952827 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 13
I have done a search already and do not find appropriate explanation for this.
The device is running the following IOS-XE Code - asr1000rp1-advipservicesk9.03.05.01.S.152-1.S1.bin
Thanks for your help!
Cecilia
03-19-2013 05:41 PM
Hi Cecilia,
You are observing the following error messages :
%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:105 TS:00023807958539952827 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 13
Details
============
The errors you are seeing are the result of
IPSec
traffic being received on your ASR that is not within the IPSec anti-replay window.
This window is put in place to prevent IPSec packets from being duplicated and
re-sent to your ASR. This window often needs to be adjusted if it
is too small, or when a large amount of IPSec data is flowing into the ASR.
The ASR only supports a window size up to 512 packets, which is a limitation
specific to the ASR. The IPSec packets your device is receiving (and
dropping) that are outside of the window shows that the current window size
is probably too small for the load of IPSec traffic you are seeing. You can
disable the window, and you will see these errors go away.
Here is how you can disable the window:
crypto ipsec security-association replay disable
Also, here is a great document that discusses the error, and how to resolve
the error (by increasing or disabling the window size)
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html
Most platforms do support window sizes larger than 512 packets, but not the
ASR. This behavior is due to a hardware limitation on the hardware
crypto engine (not a software limitation). Cisco is hoping to increase this
value to 1024 in the future, but currently we are limited by the vendor's
hardware chip.
In summary, I would do the following:
1. If the errors are not in abundance (you only see a few per day), I would ensure the
window is set to 512, and then do not be concerned with the error. Seeing some of these
is normal.
2. If the errors are very frequent, or are impacting performance, I would increase the
window to 512, then disable it if the problem still remains.
3. AFter increasing the replay window to 512 clear the IPSec SA once.
HTH
Regards
Inayath
*plz rate the usefull posts.
10-07-2013 07:11 AM
Do ou know when Cisco will upgrade the encryption engine to allow larger than 512 anti-replay window on the ASR platform?
04-27-2017 05:28 AM
It's still 512 on our ASR1001 running with 15.5(3)S5
ASR1k(ipsec-profile)#set security-association replay window-size ?
1024 Window size of 1024
128 Window size of 128
256 Window size of 256
512 Window size of 512
64 Window size of 64 (default)
ASR1k(ipsec-profile)#set security-association replay window-size 1024
Warning: encryption hardware does not support window size of 1024
Using window size 512
06-14-2017 11:33 AM
Hello,
I am facing the situation that increasing the anti-replay window size to 1024 would help but I am still limited to the HW. Any indication whether different RP would help? Such as RP2 or RP3 on ASR1001-HX?
Here is what you get when for the command on ASR1002-RP1-ESP10 platform running IOS-XE asr1000rp1-adventerprisek9.03.16.05.S.155-3.S5-ext.bin
crypto isakmp key ASR1002X address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024 !<<<<<<<<<<<<<<<<
! Warning: window size of 512 actually used
!
crypto ipsec transform-set
04-24-2017 06:30 AM
We are experiencing the same problem on ASR 4000 code 15.4.(3). Old thread for the win.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide