9/17/2014

IPSEC: Failed Anti-Replay Checking FIXED

Sep 12 08:19:22|402119: IPSEC: Received an ESP packet from  (user= sKOPL) to  -- that failed anti-replay checking.

A failed anti-replay checking appears on the ASA is when the ASA stops an attacker from duplicating packets of the real data to its own.

IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet in an increasing order.
By default it's set to 64 packets. 

Increasing it to 512 or 1024 will fix it.

1. enable

2. configure terminal

3. crypto ipsec security-association replay window-size [N]
    Sets the size of the SA replay window globally.

No comments:

Post a Comment