01-16-2010 05:29 AM
Experiencing tunnel failures periodically and receiving these messages at the Head End Router in front of they Key Server roughly at the same time the remote router is dropping the tunnel.
%GDOI-3-REPLAY_FAILED: An anti replay check has failed in group gdoi-group. my_pseudotime is 184467440722644365.83 secs, peer_pseudotime is 184467440722644223.30 secs, replay_window is 5 (second)
The tunnel recovers itself within 10 - 15 minutes. Difficulty has been trying to catch the problem as it happens so I can gather more information. Logging messages aren't providing any more than the above.
Remote Router shows - nothing more than Tunnel recovered
Checking the System Messages, it says this is informational and no action is necessary. Yet in other searches I have found this may be due to;
- fragmentation (ruled this out)
- traffic load (not seeing anything that leads to this)
- too short a time replay windows (thinking this may be something to look into)
Before I changed the the anti-replay time window size on the key server I was looking for some advice;
1) Am I on the right path
2) Are there other steps to take to zero in on the problem as it's happening (hard to predict when and where - over 50 remote sites)
3) If I change the anti-replay time window size, will it disrupt communications to the remote sites when the new value is pushed out from the Key Server
Key Server Config for reference
crypto gdoi group gdoi-group
identity number 1
server local
rekey lifetime seconds 10800
rekey retransmit 10 number 2
rekey authentication mypubkey rsa xyzxyz
rekey transport unicast
sa ipsec 1
profile gdoi-profile
match address ipv4 sa-acl
replay time window-size 5
address ipv4 1.2.3.4
Thanks in advance
01-19-2010 12:51 PM
Ensure that the time of both KS and GM is synchronized, preferably via NTP. If the clock on the GM drifts, this can cause additional rekey events.
01-19-2010 03:52 PM
Try to increase your reply to a value of greater then 35 seconds, which is a known bug (CSCta20590).
replay time window-size 35 etc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide