Re: IPSEC Tunnel error

Robo123 · ‎08-06-2024

Hi Team ,

We are observing low speed while coping data from client infra via IPSEC Tunnel.

We have seen below errors in router where IPSEC is configured.

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr Replay Chk Failure:srcadr=XX.XX.XX.XX ,dstadr=XX.XX.XX.XX,size=144,sequence number=0x74F5,SPI=0x76974E6B

Can any one confirm what exactlty cause of getting packets out of order and how can we solve this.

MHM Cisco World · ‎08-06-2024

What is platform you have ?

MHM

Robo123 · ‎08-06-2024

Cisco 1941

MHM Cisco World · ‎08-06-2024

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

Check this

MHM

Robo123 · ‎08-06-2024

@MHM Cisco World ,

Thanks for sharing the document.

There is o Qos policy enabled in the datapath.But still we are getting the same error logs.Could you please suggest on this.

MHM Cisco World · ‎08-06-2024

You meaning there is NO QoS'

Friend check path' it can you have two path and this make packet receive out or order.

To detect multi path use traceroute and see hops appear

MHM

Robo123 · ‎08-07-2024

@MHM Cisco World,

I am seeing the Router egress port is supporting 100Mbps speed and there are some output drops happening on the same interface which is more than 2%.I am suspecting this is causing replay check failure.Please let me know your thoughts.

sementha · ‎08-06-2024

The error indicates a replay check failure, often caused by packet duplication or incorrect sequencing. To address this, check your IPSEC configuration for correct settings and ensure that both ends of the tunnel are synchronized. Verify that your devices have matching security policies and try updating firmware if issues persist.

Robo123 · ‎08-06-2024

This is the IPSEC between Cisco 1941 routers.