Which action can the engineer take to eliminate this error message?

Refer to the exhibit. An engineer encounters a debug message.
Which action can the engineer take to eliminate this error message?


A. Use stronger encryption suite.
B. Correct the VPN peer address.
C. Make adjustment to IPSec replay window.
D. Change the preshared key to match.

cisco-exams

One thought on “Which action can the engineer take to eliminate this error message?

  1. Same exact question and graphic as #23, and different answer.

    #23’s answer is “Correct the VPN peer address. That is incorrect.

    This is the correct answer:

    https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

    Solution

    After the peer is identified, there are three possible scenarios:
    1.It is a valid packet: Packet captures help confirm if the packet is actually valid, and if the problem is insignificant (due to network latency or transmission path issues) or requires a more in-depth troubleshoot. For example, the capture shows a packet with a sequence number of X that arrives out of order, and the window size is set to 64. If X + 64 packets arrive before packet X, then it gets dropped due to a replay failure (it is not really an attack).

    In such scenarios, increase the size of the replay window in order to ensure that such delays are accounted for and prevent legitimate packets from being dropped. By default, the window size is fairly small (window size of 64). If you increase the size, it does not greatly increase the risk of an attack. For information on how to configure an IPsec Anti-Replay Window, refer to the How to Configure IPsec Anti-Replay Window: Expanding and Disabling article.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.