ah_input: packet replay failure
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Thu Dec 2 21:00:08 UTC 2010
On Thu, 2 Dec 2010, Eugene M. Zheganin wrote:
Hi,
> What does this message means ?
> I'm getting a lots of those.
>
> ===Cut===
> Dec 2 14:35:15 ural85-gw0-omega kernel: ah_input: packet replay failure:
> SA(SPI=3662816 src=10.50.116.6 dst=10.50.110.210)
> ===Cut===
you are running with debugging turn on; otherwise you'd just see the
statistics being updated.
> I'm using FreeBSD as a security gateway:
>
> FreeBSD A >======ipsec over gre===> FreeBSD B
What it means is that a packet with either an invalid sequence, a
sequence lower than the last seen and outside the window, or a
sequence seen already (lately) has arrived.
Could it be that something is duplicating packets or that you have
packet loss between A and B? Given that you say that you are running
IPsec on top of GRE (which sounds strange anyway) I'd monitor the
outer tunnel endpoints independently to see what's going on.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
More information about the freebsd-net
mailing list