Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
1
Replies

PIX fail antireplay check

mcordiez
Level 1
Level 1

‎01-24-2007 11:16 AM

Has anyone run into a PIX reporting back a large number of these errors which show up as recv errors in a "sho crypto ipsec sa"?

Debug message:

IPSEC(cipher_ipsec_request): decap failed for 24.x.x.x -> 64.x.x.x IPSEC(sw_esp_decap): fail antireplay check

The site where these errors appear (about 10% of all packets) has a 506 v6.3.5 and the other end is a 515 v7.0.4. 12 other sites run the exact same configuration (506, 6.3.5 & config) as the problem site and none show this problem.

There is little documentation on this error message. IOS allows you to modify the anti-replay window but not the PIX. Assuming this is probably not a real replay attack - could this be an issue with the ISP screwing-up the order of the packets inbound? Or somehow delaying 10% of the packets to the 506? Any ideas?

Labels:
0 Helpful
1 Reply 1

michelcaissie
Level 1
Level 1

‎01-25-2007 01:37 PM

Unfortunately i don't have an answer , but i have a similar problem. The only difference is that i have a PIX 520 6.3(5) instead of a PIX 515 , and a dozen of remote sites with PIX 506 6.3(5) . The problem occurs only with one site though the errors are much lower, around .02% . VPN with this site has been running the last 4 years and i only notice this error last December . I posted a message on comp.dcom.sys.cisco but got no answers .

I'll let you know if i ever find something...

0 Helpful
Customers Also Viewed These Support Documents