%CRYPTO-4-PKT_REPLAY_ERR OSPF adjacency flap

colossus1611 · ‎10-24-2019

Hello,

One of our 1921 router configured with GRE tunnel has been reporting Crypto errors every single day and has OSPF adjacency flapping.

Below are some error message in log:

*Oct 25 00:52:14: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1605, sequence number=471
*Oct 25 01:21:32: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Oct 25 01:21:56: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done
*Oct 25 02:48:44: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=50, spi=0xE16E0A49(3782085193), srcaddr=1.1.1.1, input interface=Cellular0/0/0
*Oct 25 03:34:47: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1609, sequence number=31063
*Oct 25 03:49:06: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1611, sequence number=656
*Oct 25 05:02:28: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1613, sequence number=10551
*Oct 25 06:08:39: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1615, sequence number=16246
*Oct 25 06:10:01: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1615, sequence number=16927
*Oct 25 06:26:56: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1615, sequence number=29395
*Oct 25 06:35:41: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1615, sequence number=35306
*Oct 25 06:36:52: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1615, sequence number=35835
*Oct 25 06:48:12: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1617, sequence number=3473
*Oct 25 08:39:54: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=50, spi=0x87ED373D(2280470333), srcaddr=1.1.1.1, input interface=Cellular0/0/0
*Oct 25 09:38:10: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=50, spi=0xBC10B1CB(3155210699), srcaddr=1.1.1.1, input interface=Cellular0/0/0
*Oct 25 10:35:53: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=50, spi=0x530B08B0(1393232048), srcaddr=1.1.1.1, input interface=Cellular0/0/0

Here's output for show crypto ipsec sa peer 2.2.2.2 det

interface: Cellular0/0/0
Crypto map tag: gre-tunnel-map, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 2.2.2.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6276970, #pkts encrypt: 6276970, #pkts digest: 6276970
#pkts decaps: 5874906, #pkts decrypt: 5874906, #pkts verify: 5874906
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 2694
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Cellular0/0/0
current outbound spi: 0x6A2ED478(1781453944)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0xE3087C19(3808984089)
transform: esp-3des esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3633, flow_id: Onboard VPN:1633, sibling_flags 80000040, crypto map: gre-tunnel-map
sa timing: remaining key lifetime (k/sec): (4193929/1655)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6A2ED478(1781453944)
transform: esp-3des esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3634, flow_id: Onboard VPN:1634, sibling_flags 80000040, crypto map: gre-tunnel-map
sa timing: remaining key lifetime (k/sec): (4223323/1655)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Not sure why it is behaving the way it is. We are on cellular link as it is a back to main link on a different device.

Any pointers would be greatly appreciated.

Thanks.

Marius Gunnerud · ‎10-25-2019

We had the same issue. There really wasnt anything wrong just that the replay window was too small. We increased it to 35 and the issue went away.

crypto gdoi group MYGETVPN
identity number 1
server local
replay time window-size 35

--
Please remember to select a correct answer and rate helpful posts

colossus1611 · ‎10-27-2019

Thanks Marius.

However, we have two tunnels, of which only one of them seems to be giving this error:

crypto map LSC_VPN_MAP 10 ipsec-isakmp
set peer 1.1.1.2 <---------------- Not showing any errors
set transform-set LSC_VPN_IPSEC
set pfs group5
match address LSC_VPN_ALLOW
!
crypto map gre-tunnel-map 1 ipsec-isakmp
set peer 1.1.1.1 <----------------Showing errors in log messages.
set transform-set DC-TRANS
set pfs group1
match address TUNNEL-ACL

Marius Gunnerud · ‎10-29-2019

Yes, I saw the same issue. we had 10 tunnels and only half of them showed this issue. There must be some type of delay from the second tunnel that causes the replay. Either way, it can be solved with the configuration in my post above.

--
Please remember to select a correct answer and rate helpful posts

colossus1611 · ‎10-29-2019

Thanks. I have chnged the replay window size just for that crypto map and will keep an eye over next few days to see if it behaves any different.

colossus1611 · ‎11-04-2019

So I tried changing over the window size for this specific tunnel (didn't do it globally) - but unfortunately, the problem still remains. I still see OSPF neighbor relation flapping once a day at least with IPSec error messages with it in my logs as below:

*Nov 3 06:30:45: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=73, sequence number=260
*Nov 3 06:33:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=73, sequence number=296
*Nov 3 07:28:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=75, sequence number=254
*Nov 3 07:32:20: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=75, sequence number=302
*Nov 3 07:43:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=75, sequence number=436
*Nov 3 08:13:27: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=77, sequence number=95
*Nov 3 08:34:55: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=77, sequence number=346
*Nov 3 09:11:01: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Nov 3 10:02:22: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel1 from LOADING to FULL, Loading Done
*Nov 3 10:18:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=81, sequence number=191
*Nov 3 10:33:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=81, sequence number=373
*Nov 3 11:18:24: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=83, sequence number=201
*Nov 3 11:21:06: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=83, sequence number=235
*Nov 3 11:34:20: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=83, sequence number=393
*Nov 3 12:28:20: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=85, sequence number=342
*Nov 3 12:53:53: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=85, sequence number=

colossus1611 · ‎11-17-2019

Hi All,

Has anyone got any other ideas to help resolve this one?

*Nov 16 04:13:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=723, sequence number=129
*Nov 16 04:21:25: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=723, sequence number=225
*Nov 16 04:48:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=723, sequence number=542
*Nov 16 05:03:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=725, sequence number=32
*Nov 16 05:18:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=725, sequence number=204
*Nov 16 05:20:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=725, sequence number=228
*Nov 16 05:21:50: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=725, sequence number=250
*Nov 16 05:32:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=725, sequence number=376
*Nov 16 05:39:42: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=725, sequence number=456
*Nov 16 06:01:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=28
*Nov 16 06:15:32: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=185
*Nov 16 06:22:04: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=265
*Nov 16 06:24:50: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=294
*Nov 16 06:44:42: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=529
*Nov 16 06:48:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=571
*Nov 16 06:51:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=727, sequence number=616
*Nov 16 07:12:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=729, sequence number=164
*Nov 16 07:28:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=729, sequence number=346
*Nov 16 07:30:00: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=729, sequence number=368
*Nov 16 07:31:44: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Nov 16 07:56:40: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done
*Nov 16 08:43:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=731, sequence number=563
*Nov 16 08:46:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=731, sequence number=596
*Nov 16 08:56:50: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=733, sequence number=32
*Nov 16 09:08:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=733, sequence number=172
*Nov 16 09:18:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=733, sequence number=290
*Nov 16 09:48:03: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=733, sequence number=637
*Nov 16 09:58:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=735, sequence number=69
*Nov 16 10:50:00: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=735, sequence number=673
*Nov 16 12:16:25: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=739, sequence number=343
*Nov 16 12:35:00: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=739, sequence number=560
*Nov 16 12:36:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=739, sequence number=586
*Nov 16 14:02:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=743, sequence number=224
*Nov 16 14:16:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=743, sequence number=396
*Nov 16 14:24:59: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=743, sequence number=490
*Nov 16 16:23:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=747, sequence number=511
*Nov 16 16:47:54: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=749, sequence number=103
*Nov 16 17:15:32: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=749, sequence number=429
*Nov 16 17:25:00: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=749, sequence number=538
*Nov 16 17:35:32: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=749, sequence number=664
*Nov 16 18:08:15: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=751, sequence number=359
*Nov 16 19:11:46: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=753, sequence number=419
*Nov 16 19:56:59: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Nov 16 20:33:18: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Tunnel1 from LOADING to FULL, Loading Done
*Nov 16 21:08:48: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=757, sequence number=426
*Nov 16 21:59:59: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=759, sequence number=351
*Nov 16 23:42:49: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=50, spi=0x30303030(808464432), srcaddr=82.221.105.6, input interface=Cellular0/0/0