Sunday, June 2, 2024

Troubleshoot Cisco IPSec Anti-Replay Error

Here's a Cisco link for troubleshooting an IPSec anti-replay errors. 

I was troubleshooting and observed a lot %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed logs in a Cisco router configured for IPSec VPN:

*Sep 18 00:16:48 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=349, sequence number=4838

 

*Sep 18 00:26:35 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=349, sequence number=499055

 

*Sep 18 00:27:50 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=349, sequence number=591422

 

*Sep 18 00:30:58 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=349, sequence number=884929

 

*Sep 18 00:31:58 UTC: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=349, sequence number=969290

 

You can verify if the IPSec Security Association (SA) is from a legitimate peer using the show crypto ipsec sa | in peer|conn id command

2900#show crypto ipsec sa | in peer|conn id

   current_peer 110.17.9.8 port 500

   current_peer 175.23.30.6 port 19302

        conn id: 2349, flow_id: Onboard VPN:349, sibling_flags 80000040, crypto map: VPN-PROFILE-head-1

        conn id: 2350, flow_id: Onboard VPN:350, sibling_flags 80000040, crypto map: VPN-PROFILE-head-1

 

 

You can adjust the replay window size once the SA peer is confirmed and it's not doing a man-in-the-middle (MITM) attack. The default window size is 64 packets.

2900#show run all | inc crypto ipsec

crypto ipsec optional retry 300

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association lifetime seconds 3600

no crypto ipsec security-association replay disable

crypto ipsec security-association replay window-size 64

crypto ipsec security-association dummy

crypto ipsec transform-set default esp-aes esp-sha-hmac

crypto ipsec transform-set VPN-TSET esp-aes 256 esp-sha-hmac

crypto ipsec nat-transparency udp-encapsulation

crypto ipsec profile VPN-PROFILE

crypto ipsec profile default


Use the crypto ipsec security-association replay window-size <WINDOW SIZE> command. Start with 512 first, clear and observe the logs again.

2900#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

2900(config)#crypto ipsec security-association replay window-size ? 

  1024  Window size of 1024

  128   Window size of 128

  256   Window size of 256

  512   Window size of 512

  64    Window size of 64 (default)

 

2900(config)#crypto ipsec security-association replay window-size 512

2900(config)#end

2900#write memory

Building configuration...

[OK]

 

2900#clear log
Clear logging buffer [confirm] 

 

 

I didn't observe the said logs afterwards (for almost more than 30 mins).

 

*Sep 18 01:08:37 UTC: %CLEAR-5-COUNTERS: Clear counter on all interfaces by admin on vty0 (202.7.6.8)
2900#
2900#show clock
*01:46:12.854 UTC Mon Sep 18 2023 


at

No comments:

Post a Comment