Re: Strange problem with GETVPN Rekeying

christof32 · ‎05-03-2011

Occasionally I loose connectivity with a GM when he fails to rekey.

Before and after that happens I have many consecutive antireplay check failures.

According to the log:

.May 3 10:28:34.167: %GDOI-4-TIMEBASED_REPLAY_FAILED: An anti replay check has failed in group XXX. my_pseudotime is 12414551.01 secs, peer_pseudotime is 12414541.00 secs, replay_window is 10 (second)

.May 3 10:28:34.167: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=6501, sequence number=2692619

The result is that if the rekeying happens when the gm experiences the antireplay problems, it fails and i lose connectivity to the router (telnet is in the encryption acl).

Then I login the GM through ssh and I execute “ clear crypto gdoi” and everything comes to normal.

I have used the “rekey retransmit 10 number 4” in KSes.

The strange thing is that I have met these messages occasionally in many different GMs in the past, but it is the first time that rekeying have failed during that time. Is it a random event?

I would appreciate your opinion about that.

Regards,

jecker · ‎08-30-2012

Hello,

Did you ever find a cause / resolution to this issue?

jecker · ‎10-02-2012

Any resolution to this?

I am having the same issue.

balayan_pankaj · ‎04-12-2013

I am also having same issue.

Can we disable TBAR in GetVPN environment?

Would there be any impact once TBAR is disabled?

jecker · ‎04-12-2013

Hello,

I had this problem on an ASR 1001. I ended up disabling TBAR which resolved the issue and did not encounter any other issues. I have since upgraded the ASR to the latest code and re-enabled TBAR and have not had any issues since.

Hope this helps.