Has anyone run into a PIX reporting back a large number of these errors which show up as recv errors in a "sho crypto ipsec sa"?
Debug message:
IPSEC(cipher_ipsec_request): decap failed for 24.x.x.x -> 64.x.x.x IPSEC(sw_esp_decap): fail antireplay check
The site where these errors appear (about 10% of all packets) has a 506 v6.3.5 and the other end is a 515 v7.0.4. 12 other sites run the exact same configuration (506, 6.3.5 & config) as the problem site and none show this problem.
There is little documentation on this error message. IOS allows you to modify the anti-replay window but not the PIX. Assuming this is probably not a real replay attack - could this be an issue with the ISP screwing-up the order of the packets inbound? Or somehow delaying 10% of the packets to the 506? Any ideas?