Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13968
Views
25
Helpful
5
Replies

ASR1002 error messages

Cecilia Joo
Level 1
Level 1

‎03-19-2013 03:49 PM - edited ‎03-07-2019 12:21 PM

Hi,

We have a problem that the ASR1002 devices receives the following error message:

%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:105 TS:00023807958539952827 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 13

I have done a search already and do not find appropriate explanation for this.

The device is running the following IOS-XE Code - asr1000rp1-advipservicesk9.03.05.01.S.152-1.S1.bin

Thanks for your help!

Cecilia

1 person had this problem
Labels:
0 Helpful
5 Replies 5

InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎03-19-2013 05:41 PM

Hi Cecilia,

You are observing the following error messages :

%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:105 TS:00023807958539952827 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 13

Details

============

The errors you are seeing are the result of

IPSec

traffic being received on your ASR that is not within the IPSec anti-replay window. 

This window is put in place to prevent IPSec packets from being duplicated and

re-sent to your ASR.  This window often needs to be adjusted if it

is too small, or when a large amount of IPSec data is flowing into the ASR.

The ASR only supports a window size up to 512 packets, which is a limitation

specific to the ASR.  The IPSec packets your device is receiving (and

dropping) that are outside of the window shows that the current window size

is probably too small for the load of IPSec traffic you are seeing.  You can

disable the window, and you will see these errors go away.

Here is how you can disable the window:

  crypto ipsec security-association replay disable

Also, here is a great document that discusses the error, and how to resolve

the error (by increasing or disabling the window size)

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html

Most platforms do support window sizes larger than 512 packets, but not the

ASR.  This behavior is due to a hardware limitation on the hardware

crypto engine (not a software limitation).  Cisco is hoping to increase this

value to 1024 in the future, but currently we are limited by the vendor's

hardware chip.

In summary, I would do the following:

1. If the errors are not in abundance (you only see a few per day), I would ensure the

window is set to 512, and then do not be concerned with the error.  Seeing some of these

is normal.

2. If the errors are very frequent, or are impacting performance, I would increase the

window to 512, then disable it if the problem still remains.

3. AFter increasing the replay window to 512 clear the IPSec SA once.

HTH

Regards

Inayath

*plz rate the usefull posts.

Not applicable
In response to InayathUlla Sharieff

‎10-07-2013 07:11 AM

Do ou know when Cisco will upgrade the encryption engine to allow larger than 512 anti-replay window on the ASR platform?

0 Helpful

schwarzenbachcyb
Level 1
Level 1
In response to

‎04-27-2017 05:28 AM

It's still 512 on our ASR1001 running with 15.5(3)S5

ASR1k(ipsec-profile)#set security-association replay window-size ?
  1024  Window size of 1024
  128   Window size of 128
  256   Window size of 256
  512   Window size of 512
  64    Window size of 64 (default)

ASR1k(ipsec-profile)#set security-association replay window-size 1024
Warning: encryption hardware does not support window size of 1024
Using window size 512
0 Helpful

Gilson Machado
Cisco Employee
Cisco Employee
In response to InayathUlla Sharieff

‎06-14-2017 11:33 AM

Hello,

I am facing the situation that increasing the anti-replay window size to 1024 would help but I am still limited to the HW. Any indication whether different RP would help? Such as RP2 or RP3 on ASR1001-HX?

Here is what you get when for the command on ASR1002-RP1-ESP10 platform running IOS-XE asr1000rp1-adventerprisek9.03.16.05.S.155-3.S5-ext.bin

crypto isakmp key ASR1002X address 0.0.0.0
!
crypto ipsec security-association replay window-size 1024     !<<<<<<<<<<<<<<<<
! Warning: window size of 512 actually used
!
crypto ipsec transform-set

0 Helpful

Nick H
Level 1
Level 1

‎04-24-2017 06:30 AM

We are experiencing the same problem on ASR 4000 code 15.4.(3). Old thread for the win.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card