«

Since a couple of days our 3725 logs messages like this:

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=9, sequence number=52601

A couple of messages are logged every hour, and the connection id
changes slowly over time.
I know that these refer to IPsec connection (replay checking), and I
already applied a workaround for too small checking window advised in
a technical document:

crypto ipsec security-association replay window-size 1024

However, there is no change.

What I would like to know is: what command can be used to list the
connections that the log message refers to (id=9 in this case), shortly
after a message is logged.
I would like to know which IPsec peer is causing those messages, so
that I can investigate the internet connection used by that peer.
Maybe there is an error that causes packet duplication on that connection.

Commands that I have used so far (like "show crypto isakmp sa" and
"show crypto ipsec sa") do not show connection ids that match the
value logged in the message.

So, what connection is it referring to?

Rob <> wrote:
> Commands that I have used so far (like "show crypto isakmp sa" and
> "show crypto ipsec sa") do not show connection ids that match the
> value logged in the message.

In "show crypto ipsec sa" there are connection IDs, but it seems like
they number from 2000.

Could it be that the "connection id=19" in the log message corresponds
to the connection with conn id 2019 in the "show crypto ipsec sa" output?