Lately I've been getting a lot of anti-replay errors on a VPN tunnel connected to a third-party. It's been up a few years but this started about a month ago. I have several other tunnels on the same device that are not having any problems.
I ran some packet captures and I see some ESP packets with sequence numbers that have already been received at least once, sometimes more, so they cause the error and get dropped. The recommended fix is to increase the anti-replay window size for the tunnel incrementally until the errors go away, but I don't want to assume that there isn't something else going on.
You can also disable anti-replay but it's a global command and I don't want to do that for all the tunnels.
From what I've read there are various possible causes that are relatively benign, e.g. QoS implemented somewhere in the path, congestion or a mismatch with the device at other end, particularly if it's from a different manufacturer. I don't know what kind of device they have on the other side, my end is an ASA-5555-X running 9.6(4)10. I think anti-replay is a Cisco thing and not supported by all manufacturers. I plan on contacting the other party but it might take a while to get a response.
Does increasing the window size compromise the security of the tunnel at all? I've read that it doesn't but thought I'd ask if anyone here has any experience with it, or any other thoughts.
No comments:
Post a Comment