The other side then receives this and references its sliding window. Once that packet makes it to the other end (receiving end) is when the sequence is checked. Here’s what this looks like in a wireshark capture (ESP Sequence is the name in the header): ipsec anti-replay window-size as ESP sequence number Packets are literally marked in the data plane with a sequence number that is NOT encrypted. Each new packet is encapsulated/encrypted and gets +1 added to its sequence number (in the ESP header) and is sent on.īasically, this numbering system provides anti-replay attacks for the receiving end. IPSEC Anti-Replay is a feature available to the ESP data plane that sequentially marks packets as they are encapsulated with a number. Here is everything you need to know regarding the feature, the causes of the syslog, and the solutions to it. I’m sure you’ve all logged into a VPN Router once or twice and seen this syslog: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS: %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle X, src_addr x.x.x.x, dest_addr y.y.y.y, SPI 0x0
