what connection does "replay check failed" refer to?

Discussion in 'Cisco' started by Rob, Jan 21, 2011.

  1. Rob

    Rob Guest

    Since a couple of days our 3725 logs messages like this:

    %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
    connection id=9, sequence number=52601

    A couple of messages are logged every hour, and the connection id
    changes slowly over time.
    I know that these refer to IPsec connection (replay checking), and I
    already applied a workaround for too small checking window advised in
    a technical document:

    crypto ipsec security-association replay window-size 1024

    However, there is no change.

    What I would like to know is: what command can be used to list the
    connections that the log message refers to (id=9 in this case), shortly
    after a message is logged.
    I would like to know which IPsec peer is causing those messages, so
    that I can investigate the internet connection used by that peer.
    Maybe there is an error that causes packet duplication on that connection.

    Commands that I have used so far (like "show crypto isakmp sa" and
    "show crypto ipsec sa") do not show connection ids that match the
    value logged in the message.

    So, what connection is it referring to?
    Rob, Jan 21, 2011
    1. Advertisements

  2. Rob

    Rob Guest

    In "show crypto ipsec sa" there are connection IDs, but it seems like
    they number from 2000.

    Could it be that the "connection id=19" in the log message corresponds
    to the connection with conn id 2019 in the "show crypto ipsec sa" output?
    Rob, Jan 25, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.