Site to Site IPSEC VPN problem with firmware 4.38: replay detection

philippegervaix
philippegervaix Posts: 2  Freshman Member
First Comment Second Anniversary
edited April 2021 in Security
Hello,
since the upgrade to firmware 4.38 from version 4.33 , site-to-site ipsec VPNs make multiple errors this type:
    
SPI:0x5d5463db SEQ:0x4789c Packet Anti-Replay detected

they disappear for 1 day after deactivation / activation of VPN connections
and then come back the next day

Our configurations haven't changed for a long time and this problem appeared with the update

Zyxel advise me to change the mss of the VPN connection (which is in "auto" mode by default), but I'm not convinced by this solution, because I don't know what value to set to MSS.

Do other people have this problem?

What is the best solution?

Change the MSS?

Back to firmware 4.33?

Thank you in advance

Philippe

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @philippegervaix  

    The Anti-Replay detection is a mechanism for protecting VPN packet security.

    When system received the ESP packets which SPI/SEQ doesn’t match to exist VPN tunnel, then will drop packet and response this log.

    The reason may come from attacking from internet or other else.

    Don’t worry of this log, since the attack packets already dropped and traffic protected in VPN tunnel and repackaged as ESP packets.

Security Highlight