SRX Services Gateway
Highlighted
SRX Services Gateway

esp sec tunnel protocol

[ Edited ]
‎07-16-2019 05:18 PM

Hi all,

what is the reason the follwing mes log is generating? And what troubleshooting should be done and what solution to address?

RT_IPSEC: RT_IPSEC_REPLAY: Replay packet detected on IPSec tunnel on xe-1/1/2.0 with tunnel ID 0x4000100! From 10.10.10.10 to 150.145.260.18/552, ESP, SPI 0x293be11c, SEQ 0x169af.

4 REPLIES 4
SRX Services Gateway

Re: replay errors

‎07-16-2019 05:40 PM

This could be an attack or the result of network congestion or fragmentation issues.  This kb outlines the possible causes and options.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29580

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: replay errors

‎07-16-2019 07:49 PM

Hi Arix,

 

The reason you're seeing this log message is due to the Replay attack, where the ESP packet is intercepted, then modified and re-transmitted back.

 

However, it may not be due to an attack but other factors such as congestion, out-of-order packets, etc.

 

As spuluka stated, please refer to the KB article for more explanation and let us know if you have further queries.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: replay errors

[ Edited ]
‎07-16-2019 09:37 PM

Is it possible to get tcp 3handshake sessions via tcpdump from the shell to see ESP packet behaviours? Or it is nt possile?

 

tried the following but didn't work:

tcpdump -in xe-1/1/1 -s 5000 -w /var/tmp/capture.pcap -c 1000
BIOCSETIF: n: Device not configured

SRX Services Gateway

Re: replay errors

[ Edited ]
‎07-18-2019 07:02 PM

Hi,

 

Since this is ESP there is no TCP handshake involved. As regards the packet-capture, I would suggest using the packet-capture functionality in the firewall.

 

Which is the firewall model you have? Depending on this you can do the pcap via datapath-debug (For SRX-HE) or forwarding-options (For SRX-Branch). The Source and destination IP you need to use in the filter would be the VPN end-points. This would capture ESP traffic.

 

PCAP on SRX-HE:  https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563

PCAP on SRX-Branch: https://kb.juniper.net/InfoCenter/index?page=content&id=kb11709

 

Hope this helps. Regards,

 

Vikas