Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3886
Views
0
Helpful
2
Replies

CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

ivykaixin
Level 1
Level 1

‎12-17-2012 11:54 PM

Center router is cisco 7300 :

Cisco IOS Software, 7301 Software (C7301-ADVIPSERVICESK9-M), Version 15.1(4)M2

branch router is cisco1900:

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

one branch router use EZVPN to connect the Center router .

branch router logg :

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

and 10% lose packets .

but other branch use EZVPN to connect the Center router , is OK :

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)

What can do for this issue ?

Should I change the cisco1900 IOS to the 12.4 as the same as cisco880 ?

Labels:
0 Helpful
2 Replies 2

anujsharma85
Level 1
Level 1

‎12-18-2012 10:33 AM

This message can occur occasionally during normal operation of the system. It may occur during the transition to a new session key for a Security association. This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order. In such cases, no action is required. However, if it happens frequently, or is associated with traffic disruption, then the VPN hardware accelerator will most likely require replacement.

Check if the branch router has any crypto card installed. If yes, then try disabling it and check if issue persists:

no crypto engine accelerator

Make sure to do this during off office hours as this will tear down all the tunnels.

If issue still persists then try changing your window size for crypto using command mentioned below:

crypto ipsec security-association replay window-size 1024

If issue still persists, then please make sure to provide the whole error message and check if error message also specifies any connection ID. If yes, then match the connection ID from output of "show crypto ipsec sa"

This will tell whether issue is occuring with our tunnel only or not.

Regards,

Anuj

0 Helpful

ivykaixin
Level 1
Level 1
In response to anujsharma85

‎12-19-2012 05:46 PM

Hi Anuj

Thanks for your reply.

Yes , the issue happens frequently , and lost packets  .  The log happand every 3 minutes.

As I am not in charge the router in branch , I can not change the hardware accelerator.

I have change the windows-size to 1024 in the branch router , but the issue is as befroe .

Here is the show crypto ipse sa and the whole error message:

sh crypto ipsec sa

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer                port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 519, #pkts encrypt: 519, #pkts digest: 519
    #pkts decaps: 665, #pkts decrypt: 665, #pkts verify: 665
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.:       , remote crypto endpt.:  

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x550C1C42(1426857026)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x38F532D7(955593431)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2091, flow_id: Onboard VPN:91, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4561181/3566)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 1024
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x550C1C42(1426857026)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2092, flow_id: Onboard VPN:92, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4561911/3566)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 1024
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Dec 20 01:34:32.656: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=12353

Dec 20 01:39:06.552: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=18191

Dec 20 01:40:38.532: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=20363

Dec 20 01:43:05.856: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=91, sequence number=23609

0 Helpful
Customers Also Viewed These Support Documents