Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
171
Views
3
Helpful
4
Replies

Anti-replay error

George Vanyan
Level 1
Level 1

ā€Ž04-14-2024 11:37 PM

Hello everyone!

Tunnel1 - destination tunnel

Tunnel2 - source tunnel

source_IP - ip of the source router (branch router)

dest_IP - ip of the destination router (main router) 

I am getting anti-replay errors, logs are collected on the main router

*Apr 15 04:53:19.429: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:001 TS:00035202425930349136 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 135, src_addr [source_IP], dest_addr [dest_IP], SPI 0xbedce633
*Apr 15 04:54:20.252: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00035202486753721092 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 135, src_addr [source_IP], dest_addr [dest_IP], SPI 0xbedce633
*Apr 15 04:55:21.037: %IOSXE-3-PLATFORM: SIP1: cpp_cp: QFP:0.0 Thread:000 TS:00035202547538226388 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 135, src_addr [source_IP], dest_addr [dest_IP], SPI 0xbedce633

Found this guide https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html but this is not a solution that can be performed as the main router connects all branches and third parties, and where all tunnels are implemented.

I made an access list where traffic from tunnel2 to tunnel1 was permitted and no errors popped up. 

the IPSEC is configured correctly, and there is only one tunnel

any ideas?

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

ā€Ž04-14-2024 11:47 PM

  • The error might result from a sufficient packet that is reordered in the network path between the tunnel endpoints. This can likely occur if there are multiple network paths between the peers.

This from link you share which I know well.

Do traceroute from tunnel sourc to tunnel destination  (not tunnel IP) 

See if there is multi path or not

It can be the ipsec receive wrong order and this make ipsec drop packet' 

I think if that case ypu can enlarge the ipsec window size 

MHM

George Vanyan
Level 1
Level 1
In response to MHM Cisco World

ā€Ž04-15-2024 12:50 AM

Thanks for the tip, will check and come back with the result

George Vanyan
Level 1
Level 1
In response to MHM Cisco World

ā€Ž04-15-2024 08:20 AM

I double-checked everything, double routes are not the case, the firmware has a vulnerability and was compromised.

Implemented the fix already, thanks for the fast response!

0 Helpful

MHM Cisco World
VIP
VIP
In response to George Vanyan

ā€Ž04-15-2024 08:21 AM

You are so welcome friend 

And thanks for update me

MHM

Customers Also Viewed These Support Documents