I have been seeing the following error message in the logs for a few days now.
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=4587, sequence number=17094
I managed to track down the connection id:4587 and I can see the peer IP with the actual recv errors. There is no issues with the VPN itself, traffic is working fine.
I have tried to increase the actual window size under the specific crypto map for that particular peer and it makes no difference. Even cleared the sa after applying the changes.
crypto map xxxxxxxxx 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
security-association replay window-size 1024
Have increased the replay window globally to 1024 however the errors keep appearing.
crypto ipsec security-association replay window-size 1024
Has anyone actually disabled the replay window checking? did it impact anything?
crypto ipsec security-association replay disable
no crypto ipsec security-association replay window-size 1024
does it actually stop the replay_errors?
or to stop these errors do you need to change the hash algorithm from sha instead of md5?