SRX Services Gateway
SRX Services Gateway

SRX550 IPSec Replay errors

‎02-21-2019 08:05 PM
SRX550 Chassis Cluster established an IPsec VPN with Hillstone SG-6000-E3960. 
When the IPSec SA just initialized, the traffic flows, then, after a couple of minutes or seconds, ping or other traffic stopping flow, 
On SRX, the Replay errors counter increment very rapidly when I ‘show security ipsec statistics’. All the ESP packet received from Hillstone be marked as replay error.
Use Wireshark to view the pcap file from external interface and  the ESP sequence number looks fine.
When clear the current ipsec sa then new sa was built, traffic flow can recovery for a short time, after then, replay error happens again......
In all above situation phase 1 and 2 SA is up. 
Now I have to set no-anti-replay in ipsec setting on SRX550
SRX550 version: 12.3X48-D75.4(recommended by JTAC now)
Hillstone version: SG6000-M-3-5.0R4P7-v6 (maybe obsolete?)
On SRX550, several other VPNs connected to some branches  are working fine and Hillstone SG6000 is also like this
What is the possible reason of replay error on SRX and how can I debug it? 
Any help would be appreciated.
SRX Services Gateway

Re: SRX550 IPSec Replay errors

‎02-21-2019 10:57 PM
We may follow the instructions on KB29580 - Anti-replay errors on VPN tunnel
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: SRX550 IPSec Replay errors

‎02-24-2019 11:55 PM
I have checked possible reason as the link, it doesn't work. 
There is no high delay in the networks, and the network latency is 30~40 ms between VPN peers. 
There is no high loads of traffic.
I have already set the TCP-MSS to 1350
I captured the ESP packet received from Hillstone and reviewed it by Wireshark. The ESP sequence is pretty good. Only 1 or 2 packets in wrong order occasionally, and the replay windows on SRX550 is 64.
So there is no reason for replay error.
Any thing wrong?
Thanks for replying.
SRX Services Gateway

Re: SRX550 IPSec Replay errors

‎02-25-2019 02:56 AM

If you have confirmed in wireshark that the replay messages are in error that means there is a software bug in the version of junos you are running for the replay detect.


Your options are to turn replay detection off or find out from JTAC what version you need to upgrade Junos to get the fix for the bug.  They will need to search the PR database and let you know what version it appears in and where it is fixed.


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)