Since a couple of days our 3725 logs messages like this:
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=9, sequence number=52601
A couple of messages are logged every hour, and the connection id changes slowly over time. I know that these refer to IPsec connection (replay checking), and I already applied a workaround for too small checking window advised in a technical document:
crypto ipsec security-association replay window-size 1024
However, there is no change.
What I would like to know is: what command can be used to list the connections that the log message refers to (id=9 in this case), shortly after a message is logged. I would like to know which IPsec peer is causing those messages, so that I can investigate the internet connection used by that peer. Maybe there is an error that causes packet duplication on that connection.
Commands that I have used so far (like "show crypto isakmp sa" and "show crypto ipsec sa") do not show connection ids that match the value logged in the message.
So, what connection is it referring to?