As previously described, the purpose of replay checks is to protect against malicious repetitions of packets. However, there are some scenarios where a failed replay check might not be due to a malicious reason:
Decrypted Packet Failed Sa Identity Check Cisco Juniper
To check the status of the phase - 2 IPSec tunnels, you can use show crypto ipsec sa command. #pkts encrypt and #pkts decrypt are a very good indicator if you run into any issues. If you see the 'number of packets' encrypted increasing but the 'number of packets' decrypted stays the same then the issue is with receiving the packets, more likely an issue on the other side. If you see the 'number of packets encrypted' stays the same then our side of the ASA is not sending any traffic through the tunnel.
I have this problem too (Windows Server 2012R2 Evaluation) and I solved it with this workaround. The problem occurs when you have enabled NAT on the internet facing interface for internet access of the local LAN. The traffic generated in the local LAN with destination the remote LAN is NATted before the encryption. The Cisco receive this encrypted packet, decrypt it, but the source IP of the decrypted packet is the public IP address of the Windows Server. Because this is an error, the Cisco router discard the packet and increment the error count. You can see this counter in the Cisco router with the command show crypto ipsec sa detail and the counter appears in pkts decaps failed (rcv). Also, you can see the counters in the NAT statistics in the Windows Server. 2ff7e9595c
Comments