Thursday, March 27, 2008

IOS: %CRYPTO-4-PKT_REPLAY_ERR replay check failed







%CRYPTO-4-PKT_REPLAY_ERR : [chars] connection id=[dec]




IOS 12.4 --> Syslogs --> CRYPTO Messages
http://www.cisco.com/en/US/products/ps6350/products_system_message_guide_chapter09186a0080462676.html#wp164939
Error Message:
%CRYPTO-4-PKT_REPLAY_ERR : [chars] connection id=[dec]

Explanation: The replay processing has failed. The failed replay processing may be a temporarycondition caused by the wait for new SAs to be established. In the inbound case, this error might also be caused by an actual replay attack. This activity can be considered a hostile event.

Recommended Action: If the problem appears to be more than a transient one, contact the peer administrator.




CSCeg43855 - Router generated traffic causes anti-replay errors
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeg43855&Submit=Search

Symptoms: An encrypting router may send traffic that is locally originated (such as keepalive packets or routing update packets) out of order after the packets have been encrypted. Because of the anti-replay check failure, these packets are dropped on the receiving router.

Conditions: This symptom is observed when a multipoint GRE (mGRE) and IPSec tunnel is built between two routers.

Workaround: Turn off packet authentication for the configured IPSec transform.

Further Problem Description: On a Cisco 7200 series that functions as the receiving router, you can observe the symptom in the output of the show crypto ipsec sa detail or show pas isa interface command.




IOS 12.4 --> IPSec Anti-Replay Window: Expanding and Disabling
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
Troubleshooting Tips:
If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:

*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1

The above message is generated when a received packet is judged to be outside the anti-replay window.




Additional Notes:

If there's no interruption of service, it could just be a normal and temporary condition, especially if the SAs (IPSEC tunnels) are still being established.

Otherwise, I suggest setting the anti-replay window to, say, 1024.

crypto ipsec security-association replay window-size 1024

Take note that the above command is introduced in 12.3(14)T; older versions do not support this command.

No comments: