Knowledge Search


×
 

VPN Packets from ISG to SRX are Dropped Due to Out of Sequence Packets with Replay Protection Enabled

  [KB26671] Show Article Properties


Summary:
This article provides information on how to resolve replay attack issues generated by ISG or NS5000 due to out of sequence VPN Packets.
Symptoms:
Customers are having issues with the traffic flow going through the VPN tunnel. 
VPN Packets are dropped.
Solution:
When under load, ISG and NS5000 devices may be sending VPN packets out of sequence, which will appear on the peer as if there was a replay attack.  For further details on this, see KB22051 - [ScreenOS] Why disable VPN engines, and how?

There are two solutions to address this issue. 
Option 1 - Disable replay protection on the SRX device.   This is done by specifying no-anti-replay on the IPSec Phase 2 configuration.
Example:
vpn home-vpn {
    bind-interface st0.2;
    vpn-monitor {
        source-interface ge-0/0/1.0;
        destination-ip 10.10.10.198;
    }
    ike {
        gateway home-gw;
        no-anti-replay;
        ipsec-policy ipsec-pol;
    }
    establish-tunnels immediately;
}

Option 2 - Disable one or more VPN Engines on the ISG or NS5000 firewall.  Every ASIC Chip on the firewall has 4 VPN engines, each encrypting/decrypting ESP traffic independently. The 'Out of Sequence' issue arises when one engine sends out ESP packet with a higher sequence number while another engine sends out a packet with lesser sequence number later.

Use either of the following two methods to change the VPN engine behavior.

Method 1 -Changing the SPI behavior using two VPN engines to encrypt the traffic and the other two VPN engines to decrypt the traffic per ASIC. This will not eliminate the issue totally, but by using only 2 engines to encrypt (instead of default 4), the frequency of the issue will reduce considerably.

  1. Upgrade the device to ScreenOS 5.4, 6.1, 6.2, or 6.3.
  2. set env correct_spi=yes
  3. Reset the firewall.
  4. Run get env  to see the following output:
    correct_spi=yes
Setting correct_spi=yes, allows the two VPNs engines to encrypt and the other two VPN engines to decrypt per ASIC.
NOTE: This command does not disable any VPN engine.

Method 2 -   Disabling the VPN engines (one, two or three engines) .
  1. To disable one VPN engine:
    1. Run: set env correct_seq=yes
    2. Reset the firewall.
    3. Run: get env
    4. Verify the output displays: correct_seq=yes
  2. To disable two VPN engines:
    1. Run: set env correct_seq2=yes
    2. Reset the firewall.
    3. Run: get env
    4. Verify the output displays: correct_seq2=yes
  3. To disable three VPN engines:
    1. Run: set env correct_seq3=yes
    2. Reset the firewall.
    3. Run: get env
    4. Verify the output displays: correct_seq3=yes

Note: Disabling VPN engines might lead to VPN traffic performance related issues, as the load of handling VPN packets will be performed only by lesser number of engines. Also, it might lead to packet drops, if the VPN engines are overwhelmed by the VPN traffic. Especially when 3 engines are disabled, load will be handled by only one engine; so always be careful before disabling three VPN engines.
Modification History:
2017-12-07: Article reviewed for accuracy. Content clarified and format corrected. Article is correct and complete.
Related Links: