fail antireplay check

- M
- mcaissie
  
  Contact options for registered users
posted
16 years ago

Thu, Dec 21, 2006 4:02 PM

Hi,

I have a l2l VPN between a PIX 520 6.3(5) and a PIX 506 6.3(5) and i noticed today that the 520 is logging the following message .

IPSEC(cipher_ipsec_request): decap failed for [peer] -> [pix] IPSEC(sw_esp_decap): fail antireplay check

I did a clear cry isakmp sa and clear cry ipsec sa on both PIX and the message didn't reappear since but i am not sure if it resolved the problem .

But what exactly is the antireplay check and what can i conclude from this message ?

transform-set is esp-3des esp-sha-hmac

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Dec 27, 2006 6:41 PM

It received the same packet twice, but there are internal checks active that present the same packet from being processed twice.

Receiving the same packet twice can be a simple matter of network congestion holding something up long enough that the sender thinks that it needs to retransmit (e.g., if the acknowledgement got lost.) In that situation it is harmless and does not require regenerating SAs or any action (but a slew of them could hint at network problems.)

It is also -possible- that someone was able to capture one of your packets and tried to break your system by re-sending it. I think that unlikely, but it could happen.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.