VPN failed anti-reply checking

mickyq · ‎04-05-2013

I have many VPN sites using ASA5505 with broadband connection and terminating on a single ASA5550.

I have a problem with one site. they are having poor performance. One of the issues I can see is an error on the remote ASA 5505.

Ther error is:

%ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x75350BF6, sequence number= 0xD0C51) from FIREWALL (user= 193.1.1.1) to 85.1.1.1 that failed anti-replay checking.

ive tried the reccomended fix using this command:

crypto ipsec security-association replay window-size 1024

Has anyone had this issue or can anyone reccomend a resoltuion?

thanks

mickyq · ‎04-09-2013

Has no one had this problem? i dont seem to ba able to find much help reqgarding this issue. any help would be appreciated.

thanks

allen mert · ‎11-04-2013

Hi Michael,

You have a VoIP QoS problem on your ASA 5505. Please check your class-map-policy map rules on 5505 and if service-policy is activated on outside interface or not.

Error Message when QoS is Enabled in one End of the VPN Tunnel

Problem

If you enabled QoS in one end of the VPN Tunnel, you might receive this error message:

IPSEC: Received an ESP packet (SPI= 0xDB6E5A60, sequence number= 0x7F9F) from
10.18.7.11 (user= ghufhi) to 172.16.29.23 that failed anti-replay checking

Solution

This message is normally caused when one end of the tunnel is doing QoS. This happens when a packet is detected as being out of order. You can disable QoS to stop this but it can be ignored as long as traffic is able to traverse the tunnel.

Please rate if you find it useful.

Thanks

Allen