Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Appliance and Cisco Anti-Replay Detection

KeithBucknall
Here to help
‎Sep 21 2017 5:14 AM
‎Sep 21 2017 5:14 AM

MX Appliance and Cisco Anti-Replay Detection

Hi,

 

We are currently having a lot of issues with our newly deployed (and to be deployed) MX's over a site-to-site VPN with a Juniper firewall.  The MX's replaced some ageing Cisco ASA's that also had an issue which Cisco identified as the Anti-Replay protection and the MX's are showing the same symptoms.

 

Having worked with the Meraki support team they have hit a block as the product team have not confirmed if Anti-Replay is in the MX code or not and if so how to disable it - I am posting this hoping someone will know or answer.

 

Thanks

 

Keith

0 Kudos
Subscribe
13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 21 2017 1:15 PM
‎Sep 21 2017 1:15 PM

Anti-replay protection is part of IPSec.  It is not a Cisco/Meraki/Juniper feature per-see.

 

Sometimes there can be multiple paths between a source and destination.  This can cause the IPSec packets to arrive out of order.  IPSec can only decrypt the packets if they arrive in order.

 

So when packets arrive out of order (or a packet goes missing) the device is allowed to buffer packets up to the "replay window size" and put them back into order.  If the missing packets have not turned up in that time it has no choice but to throw them away.  At this point you effectively have to rebuild the VPN.

 

On Cisco ASA's and Cisco routers you can configure the replay window size.  You can't do this on Cisco Meraki.  I have no idea about Juniper.

On the whole, it is not a setting that has to be adjusted very often.  When you need to adjust it you normally only make it larger.

 

If you are experiencing replay window issues and the Juniper can not have its window expanded then you should probably look at the root of the issue - why are you getting packets lost or transmitted out of order so often.

Subscribe
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 21 2017 6:02 PM
‎Sep 21 2017 6:02 PM

You can read more about it on Wikipedia.

https://en.wikipedia.org/wiki/Anti-replay

Subscribe
In response to PhilipDAth
KeithBucknall
Here to help
‎Sep 22 2017 6:30 AM
‎Sep 22 2017 6:30 AM

Thanks for the reply, is the window sized configured within ike phase 2 proposal as this is what Meraki support advised us to remove from the Juniper configuration and since then it has been ok.  But we do see a lot of re-negotiations on the MX side but now on the Juniper side.

0 Kudos
Subscribe
In response to KeithBucknall
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 22 2017 12:22 PM
‎Sep 22 2017 12:22 PM

To the best of my knowledge, the replay window size is not a negotiated parameter.  On Cisco Enterprise kit you can configure it globally or per VPN.

0 Kudos
Subscribe
In response to PhilipDAth
KeithBucknall
Here to help
‎Dec 7 2017 9:12 AM
‎Dec 7 2017 9:12 AM

Hi,

 

Just to update you on this we are having more and more issues with different MX's and we think the issue is either the ESP window size or the fact that the Meraki's have anti-replay enabled.

 

I am about to rip these out for Fortinet which is a shame.

Subscribe
In response to KeithBucknall
KeithBucknall
Here to help
‎Dec 8 2017 3:27 AM
‎Dec 8 2017 3:27 AM

Hi,

 

We have had two sites go down today one with an MX-64 and the other with MX-100 both terminating on a 3rd Party ISG, the issue was slightly different to the loss of packets yesterday within the active tunnel.  This was the tunnel going down.

 

I am starting to think this is a Meraki bug issue but support cant find the issue

0 Kudos
Subscribe
In response to KeithBucknall
KeithBucknall
Here to help
‎Dec 8 2017 7:41 AM
‎Dec 8 2017 7:41 AM

We had another outage and the only advise I get now is try and get upstream packet captures which ~I cannot do for this remote site.  5 times now Meraki refuse to disable Anti Replay Protection and I cannot understand why the product team will not disable this.  Every "enterprise" firewall has the ability to do this apart from Meraki.

 

It is so frustrating that the only option I have is to get a refund for all my MX firewalls and move to an "enterprise" class device, so disappointing.

0 Kudos
Subscribe
In response to KeithBucknall
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 8 2017 11:37 AM
‎Dec 8 2017 11:37 AM

I think you have a fundamental mis-understanding of anti-replay detection.

 

This is a "per-device" setting.  It is not a negotiated setting.

 

And you absolutely do not want it disabled.  VPNs would fall over constantly without it.  Anti-replay detection allows packets to be re-ordered (inside of the window) that are received out of order - rather than tearing the entire VPN down.

0 Kudos
Subscribe
In response to KeithBucknall
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 8 2017 11:41 AM
‎Dec 8 2017 11:41 AM

Maybe it might be better to buy an extra MX and put it at this third party, so you can use AutoVPN to the VPNs automatically.  It would save all the grief you are having.

0 Kudos
Subscribe
In response to PhilipDAth
KeithBucknall
Here to help
‎Dec 12 2017 6:03 AM
‎Dec 12 2017 6:03 AM

@PhilipDAth I would love to do that but the 3rd party refuses it!

0 Kudos
Subscribe
In response to KeithBucknall
KeithBucknall
Here to help
‎Jan 10 2018 1:10 AM
‎Jan 10 2018 1:10 AM

Hi all,

 

Just to update you on this, it turns out that we cannot work out what is happening and the only function we cannot disable and test is Anti-Replay Protection which Meraki cannot do.  Therefore I am now having to replace all my firewalls with another vendor that supports this which is extremely disappointing.  Meraki advised us to move to Cisco ASA but I do not have the skills in-house which is why I wanted Meraki in the first place.

 

Shame.!

0 Kudos
Subscribe
OHTorx
Here to help
‎May 31 2018 10:07 AM
‎May 31 2018 10:07 AM

We have the same issues and have had a case opened opened for months. We finally had a break through. With firmware 15.7 Meraki changed the anti replay value from 4 to 32. Juniper has a default value of 64. We have requested that this be a configurable value either to the end user or the Support staff. After applying the beta code all has been smooth. We are still working out a few Dead Peer detection issues, on lesser used subnets.
Subscribe
In response to OHTorx
ITofTN
Here to help
‎Jun 6 2018 7:01 AM
‎Jun 6 2018 7:01 AM

From another thread

 

https://community.meraki.com/t5/Security-SD-WAN/VPN-stops-passing-traffic-between-Meraki-Security-Ap...

 

Advised me to look into the anti-replay window between the meraki and the watchguard firewall.

 

Having issue of phase2 just hanging they turned off nat-T but another user referenced anti-replay.

 

 

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.