Re: ISR4331/K9 IPSEC tunnel flapping

amit.gurav95@gmail.com · ‎04-15-2023

Hello Team ,

we have a IPSEC tunnel created over Internet connection.
Internet connection flapped from 10 mins and after that IPSEC tunnels took around 3 hours to be stable.

Port Down logs :

bsr02-e-irq-r-dvs-01#show log | i GigabitEthernet0/1/0
Apr 15 04:10:39.891: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/0, changed state to down
Apr 15 04:10:40.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1/0, changed state to down
Apr 15 04:20:07.927: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/0, changed state to up
Apr 15 04:20:08.928: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1/0, changed state to up
bsr02-e-irq-r-dvs-01#

bsr02-e-irq-r-dvs-01# show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = INTERNET
Peer I/F Username Group/Phase1_id Uptime Status
207.11.240.3 Tu600 207.11.240.3 05:25:50 UA

IPSEC Logs :

bsr02-e-irq-r-dvs-01#show log | i 207.11.240.3
Apr 15 05:18:36.293: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00010390239920615230 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:20:04.386: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00010390328013581570 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:23:30.494: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00010390534122587836 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:24:34.894: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00010390598522795646 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:26:49.714: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00010390733342989696 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:28:00.517: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00010390804145737358 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:53:31.303: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00010392334936338478 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
Apr 15 05:55:01.816: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00010392425449603866 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 5, src_addr 207.11.240.3, dest_addr 37.238.135.202, SPI 0x8037f251
bsr02-e-irq-r-dvs-01#

bsr02-e-irq-r-dvs-01#show clock
13:46:29.121 [timezone] Sat Apr 15 2023
bsr02-e-irq-r-dvs-01#

MHM Cisco World · ‎04-15-2023

enlarge the IPsec reply window size

IPsec Anti-Replay Window Expanding and Disabling (cisco.com)