SRX Services Gateway
SRX Services Gateway

esp sec tunnel protocol

[ Edited ]
‎07-16-2019 05:18 PM

Hi all,

what is the reason the follwing mes log is generating? And what troubleshooting should be done and what solution to address?

RT_IPSEC: RT_IPSEC_REPLAY: Replay packet detected on IPSec tunnel on xe-1/1/2.0 with tunnel ID 0x4000100! From to, ESP, SPI 0x293be11c, SEQ 0x169af.

SRX Services Gateway

Re: replay errors

‎07-16-2019 05:40 PM

This could be an attack or the result of network congestion or fragmentation issues.  This kb outlines the possible causes and options.


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
SRX Services Gateway

Re: replay errors

‎07-16-2019 07:49 PM

Hi Arix,


The reason you're seeing this log message is due to the Replay attack, where the ESP packet is intercepted, then modified and re-transmitted back.


However, it may not be due to an attack but other factors such as congestion, out-of-order packets, etc.


As spuluka stated, please refer to the KB article for more explanation and let us know if you have further queries.

Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: replay errors

[ Edited ]
‎07-16-2019 09:37 PM

Is it possible to get tcp 3handshake sessions via tcpdump from the shell to see ESP packet behaviours? Or it is nt possile?


tried the following but didn't work:

tcpdump -in xe-1/1/1 -s 5000 -w /var/tmp/capture.pcap -c 1000
BIOCSETIF: n: Device not configured

SRX Services Gateway

Re: replay errors

[ Edited ]
‎07-18-2019 07:02 PM



Since this is ESP there is no TCP handshake involved. As regards the packet-capture, I would suggest using the packet-capture functionality in the firewall.


Which is the firewall model you have? Depending on this you can do the pcap via datapath-debug (For SRX-HE) or forwarding-options (For SRX-Branch). The Source and destination IP you need to use in the filter would be the VPN end-points. This would capture ESP traffic.



PCAP on SRX-Branch:


Hope this helps. Regards,