Has anyone ever seen this VPN IPSEC error?

Discussion in 'Cisco' started by Evolution, May 24, 2006.

  1. Evolution

    Evolution Guest

    May 24 14:52:26.622 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay
    check failed
    connection id=49, sequence number=263777

    If so what does it mean?

    -RWS
     
    Evolution, May 24, 2006
    #1
    1. Advertisements

  2. Evolution

    -- Guest

    --, May 24, 2006
    #2
    1. Advertisements

  3. Evolution

    sampark Guest

    Hello Evolution,

    May 24 14:52:26.622 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay
    check failed
    connection id=49, sequence number=263777
    the message is telling you that the packet has arrived after the anti
    replay timer has expired.
    The Anti Replay has a major significance in crypto world. Please read
    more about it on google if you are interested. You can also read the
    IPSEC charter on the ietf website to know the significance

    This msg can come when there is a delay in the network path and the
    packets are fragmented. Because of this delay the anti replay timer of
    the queue which holds all the fragments together has expired and it
    will discard the whole queue. Normally this msg is not alarming
    however, if you are receiving alot of it then you must check the delay
    and RTT in your network path. Sometimes playing with MTU values and
    ICMP type 3 code 4 (packet too big need fragmentation) can also help.
    If you enable debug ICMP and if you see ICMP type 3 code 4 you will
    know you have MTU problem in the network.

    I hope this info will be of some use to you.

    -Vikas
     
    sampark, May 24, 2006
    #3
  4. Evolution

    sampark Guest

    Only if you know your network and ISP is your friend you should be
    doing this. Otherwise still there is no way you can set the default and
    modify the values for other tunnels.
    Packet size of 64 is quite a size for most of the networks.

    The experimental version of this code is running since 12.3.8T and they
    introduced it in 12.3.14T again a T line of code.

    -Vikas
     
    sampark, May 24, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.