FixIT: Anti-Replay Error for the VPN Tunnel for Juniper’s SRX Line

Here at CentricsIT, we are your IT experts. When any IT maintenance issue arises in your data center, we are here to help. If there is an error code you can’t fix, let us assist you in our monthly FixIT column. This month, we’re focusing on an anti-replay error for the VPN tunnel for Juniper’s SRX line of equipment.

The error message displays as:
RT_IPSEC_REPLAY: Replay packet detected on IPSec tunnel on .local..0 with tunnel ID 0x2000d! From 1.1.1.1 to 2.2.2.2, ESP, SPI 0xbd48845f, SEQ 0x347bb.

The anti-replay error code relates to the IPSec security mechanism, which prevents unwanted users from affecting an ESP packet. The IPSec mechanism ensures this by adding additional number sequences to the ESP encapsulation. When there’s an error with the IPSec mechanism, this can result in out-of-order packets, preventing proper functionality.

To confirm there’s an issue, you need to issue the following commands in order to show security IPSec statistics as well as log messages commands.

SRX> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 2186178848
Decrypted bytes: 2426574164
Encrypted packets: 2812235607
Decrypted packets: 4058561044
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 5674818 <<<<<< ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 SRX> show log messages

RT_IPSEC_REPLAY: Replay packet detected on IPSec tunnel on .local..0 with tunnel ID 0x2000d! From 1.1.1.1 to 2.2.2.2, ESP, SPI 0xbd48845f, SEQ 0x347bb.

There are multiple causes that can cause this error to appear, such as:

• High traffic loads handled out of order, resulting in some packets being dropped
• ISP devices with high-delay networks; fragments may appear behind or segmented from normal order, causing packets to be dropped
• QoS configurations may cause ESP packets to appear out-of-order due to certain packets being established as lower priority

To resolve this issue, you will need to issue the following command:

#set security vpn name ike no-anti-replay
vpn vpn-1 {
bind-interface st0.1;
vpn-monitor {
source-interface ge-0/0/2.0;
destination-ip 192.168.10.253;

ike {
gateway gw-1;
no-anti-replay;
ipsec-policy ipsec-pol;
}
establish-tunnels immediately;

If you have any further questions about the anti-replay error for VPN tunnels within Juniper’s SRX series, contact our dedicated IT support staff by calling us toll free at 1 (877) 531-7466.

Want more out of your hardware support? Contact a Support Specialist at CentricsIT to employ a more proactive approach to your IT lifecycle management.