Support Center > Search Results > SecureKnowledge Details
VPN traffic is dropped with "Encryption failure: Warning: possible replay attack" log Technical Level
Symptoms
  • VPN traffic is dropped with "Encryption failure: Warning: possible replay attack" log.
  • Identity Sharing is enabled and Gateways sharing identity across VPN tunnel. Identity sharing connections from the standby member are getting encrypted and sent into the tunnel.
  • # fw ctl zdebug + drop will produce the following drop: dropped by vpn_ipsec_decrypt Reason: decryption failure: Replay attack;
Cause

These log errors in the SmartView Tracker are generated in the VPN module when a packet arrives with a replay counter that does not match the SA's counter window. This is a possible "Replay Attack", due to inspection in the VPN module detecting a sequence number of a late transmitted packet out of sequence. A Replay Attack is an act of an attacker obtaining a copy of an authenticated packet, and later transmitting it to the intended host. The receipt of duplicate, authenticated IP packets can have some undesired consequence, or disrupt service in some way.

The issue can be caused by Identity Sharing to/from standby member. As a result standby is opening a tunnel (in parallel to active) and this can cause the Replay Attack. 

The sequence number field is designed to prevent such attacks. When a new Security Association (SA) is established, the sender initializes a sequence number counter to "0". Each time a packet is sent on this Security Association (SA), the sender increments the counter and places the value in the sequence number field. Thus, the first value used is "1".

Replay attack protection is implemented in VPN-1 and Check Point IPsec RA clients (all versions and variations, including the Safe@ series, Edges, UTM-1s).


Solution
Note: To view this solution you need to Sign In .