%CRYPTO-4-PKT_REPLAY_ERR:

I have been seeing the following error message in the logs for a few days now.
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=4587, sequence number=17094
I managed to track down the connection id:4587 and I can see the peer IP with the actual recv errors. There is no issues with the VPN itself, traffic is working fine.
I have tried to increase the actual window size under the specific crypto map for that particular peer and it makes no difference. Even cleared the sa after applying the changes.
crypto map xxxxxxxxx 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
security-association replay window-size 1024
Have increased the replay window globally to 1024 however the errors keep appearing.
crypto ipsec security-association replay window-size 1024
Has anyone actually disabled the replay window checking? did it impact anything?
crypto ipsec security-association replay disable
no crypto ipsec security-association replay window-size 1024
does it actually stop the replay_errors?
or to stop these errors do you need to change the hash algorithm from sha instead of md5?

Adam,
I don't have a resolution yet, so I opened a TAC case last Saturday. I'll keep you posted on this forum.

Similar Messages

Frequent %CRYPTO-4-PKT_REPLAY_ERR: log messages

Hi All,
I get following log message on my spoke 881 router from time to time.
For instance today I got 80 messages like this.
Frequent %CRYPTO-4-PKT_REPLAY_ERR: log messages
This is dual hub DMVPN connectivity and both tunnels are stable during the day and EIGRP never dropped.
User behind this router also never complained. They run mainly voip traffic and I have QoS both on HUB and Spokes defined under tunnel as qos-preclassify and policy-map is applied on the physical interface.
I have also increased replay window size up to 1024, but it did not help.
Wondering what else can be done here.
IOS ver both on spokes and hub is 15.2.3(T3)

Don't know where they came from, but you could turn on debugging ipsec and isakmp to see if there is a relation with other events like rekeying.
Michael
Please rate all helpful posts

CRYPTO-4-PKT_REPLAY_ERR syslog parsing

Every time ios generates the "CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed" log msg I receive 3 syslog messages, like ios is not concatenating them into 1 msg string before sending. It's really annoying because I can't filter a null string that also has a null message type on my nms. I tried changing the facility settings and get the same result. If i use TCL to filter the syslog msg by type "CRYPTO-4-PKT_REPLAY_ERR" it will only filter the 1st syslog message since the types on the other 2 msgs are null.
I can't find a bug or discussion about this so I am hoping somebody out there might have a solution ...
DEVICE INFO:
c3825-advipservicesk9-mz.124-25b.bin
logging buffered 15000 debugging
logging rate-limit all 3
no logging console
no logging monitor
crypto logging session
logging origin-id hostname
logging facility syslog
logging source-interface GigabitEthernet0/0
logging 11.22.33.44
FROM LOGGING BUFFER:
     Dec 14 08:00:37 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success       [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:00:37       CST Wed Dec 14 2011
#1>> Dec 14 08:01:41 CST: %CRYPTO-4-PKT_REPLAY_ERR:       decrypt: replay check failed
#2>>     connection id=70, sequence       number=43990
#3>>
    Dec 14 08:10:36 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login       Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at       08:10:36 CST Wed Dec 14 2011
THREE SYSLOG MSG's RECEIVED:
     #1
         MSG TYPE:   CRYPTO-4-PKT_REPLAY_ERR
         MSG STRING: 7015321: routerA: decrypt:       replay check failed
     #2
        MSG TYPE:   null
         MSG STRING: 7015322: routerA: connection id=70, sequence       number=43990
    #3
        MSG TYPE:   null
         MSG STRING: 7015323: routerA:

Every time ios generates the "CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed" log msg I receive 3 syslog messages, like ios is not concatenating them into 1 msg string before sending. It's really annoying because I can't filter a null string that also has a null message type on my nms. I tried changing the facility settings and get the same result. If i use TCL to filter the syslog msg by type "CRYPTO-4-PKT_REPLAY_ERR" it will only filter the 1st syslog message since the types on the other 2 msgs are null.
I can't find a bug or discussion about this so I am hoping somebody out there might have a solution ...
DEVICE INFO:
c3825-advipservicesk9-mz.124-25b.bin
logging buffered 15000 debugging
logging rate-limit all 3
no logging console
no logging monitor
crypto logging session
logging origin-id hostname
logging facility syslog
logging source-interface GigabitEthernet0/0
logging 11.22.33.44
FROM LOGGING BUFFER:
     Dec 14 08:00:37 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success       [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:00:37       CST Wed Dec 14 2011
#1>> Dec 14 08:01:41 CST: %CRYPTO-4-PKT_REPLAY_ERR:       decrypt: replay check failed
#2>>     connection id=70, sequence       number=43990
#3>>
    Dec 14 08:10:36 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login       Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at       08:10:36 CST Wed Dec 14 2011
THREE SYSLOG MSG's RECEIVED:
     #1
         MSG TYPE:   CRYPTO-4-PKT_REPLAY_ERR
         MSG STRING: 7015321: routerA: decrypt:       replay check failed
     #2
        MSG TYPE:   null
         MSG STRING: 7015322: routerA: connection id=70, sequence       number=43990
    #3
        MSG TYPE:   null
         MSG STRING: 7015323: routerA:

CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

Center router is cisco 7300 :
Cisco IOS Software, 7301 Software (C7301-ADVIPSERVICESK9-M), Version 15.1(4)M2
branch router is cisco1900:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
one branch router use EZVPN to connect the Center router .
branch router logg :
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
and 10% lose packets .
but other branch use EZVPN to connect the Center router , is OK :
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
What can do for this issue ?
Should I change the cisco1900 IOS to the 12.4 as the same as cisco880 ?

Hi Anuj
Thanks for your reply.
Yes , the issue happens frequently , and lost packets . The log happand every 3 minutes.
As I am not in charge the router in branch , I can not change the hardware accelerator.
I have change the windows-size to 1024 in the branch router , but the issue is as befroe .
Here is the show crypto ipse sa and the whole error message:
sh crypto ipsec sa
interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr
   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer                port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 519, #pkts encrypt: 519, #pkts digest: 519
    #pkts decaps: 665, #pkts decrypt: 665, #pkts verify: 665
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.:       , remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x550C1C42(1426857026)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x38F532D7(955593431)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2091, flow_id: Onboard VPN:91, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4561181/3566)
        IV size: 16 bytes
        replay detection support: Y replay window size: 1024
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x550C1C42(1426857026)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2092, flow_id: Onboard VPN:92, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4561911/3566)
        IV size: 16 bytes
        replay detection support: Y replay window size: 1024
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
Dec 20 01:34:32.656: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=12353
Dec 20 01:39:06.552: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=18191
Dec 20 01:40:38.532: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=20363
Dec 20 01:43:05.856: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=91, sequence number=23609

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1777, sequence number=161369

I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers. Each of the spokes is connected to the 3945's over VTI tunnels three and four. We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel. This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.
I'm needing to understand how to reduce or completely eliminate the replay errors. I've read something about increasing the replay window size, but don't have a clue where to start. What is the best way to fix this without disabling replay checking? Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?
Thanks in advance!
Paul WIshart

Adam,
I don't have a resolution yet, so I opened a TAC case last Saturday. I'll keep you posted on this forum.

"Crypto replay check failed" errors

Hey folks,
I have a site-to-site IPSEC VPN using 2 catalyst 6500's running IOS 12.2(18)SXD7b on each end.
After reviewing the syslog files this morning, I noticed that for the last 4 days at approximately the same time each nite, my router reports this error:
Local7.Warning: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
The error reporting tool on cisco.com says this error is benign, but does not give much info or troubleshooting tips. I've double checked my configuration and everything looks fine. Have you guys seen this before? Any tips?
Thanks,
SM

Hi Steve, check this link if it can help you:
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K07229553
Regards,
Ricardo

Crypto error

Can anyone tell me was this error means? We are running encrypted GRE tunnels router to router. AES 256
Apr 4 16:09:41.349 EDT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=7357, sequence number=1860336

HTH
I am not seeing a lot of these. I will keep an eye on it though.
Thank you
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Doug Bradfield
Network Analyst Ld
TSYS Network Services / Network Engineering
706-644-3559
From: rburts
To: Douglas Bradfield ,
Date: 04/07/2012 04:15 PM
Subject: - Re: Crypto error
Home
Re: Crypto error
created by Richard Burts in VPN - View the full discussion
Douglas
As part of the IPSec implementation of the encrypted GRE tunnel it checks
on packets received to make sure that it has not seen that packet before.
In this case it believes that it has seen this packet before. It looks
like, for some reason, something along the path has re-transmitted this
packet. I see this kind of message with some frequency and as long as
there are not a lot of them I do not think that it is a big problem. Are
you seeing a few or a lot of these?
HTH
Rick
Reply to this message by going to Home
Start a new discussion in VPN at Home

Problem : tcl script for filter IPSec cosmetic log

Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
See my detail of script and ios version of router :
script :
# VPN_Error.tcl This script deletes all log messages about VPN error messages
# The script will filter by combination between facility-serverity and mnemonic
# Created on 05-Oct-2012.
set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
foreach msg $msgs {
    if { $msg == $fac_sev_mnem } {
    return ""
return $::orig_msg
ios router version :
: c2800nm-adventerprisek9-mz.124-25f.bin
: c2800nm-adventerprisek9-mz.124-7b.bin
log information and configuration
When I applied command:
logging filter flash:VPN_Filter2.tcl
logging buffered filtered 4096 debugging
show log file:
router#sh logg
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering enabled)
    Console logging: level debugging, 18145 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 428 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty322(2)
    Buffer logging: level debugging, 0 messages logged, xml disabled,
                    filtering enabled (0 messages logged)
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
Filter modules:
    flash:VPN_Filter2.tcl
    Trap logging: level informational, 47011 message lines logged
        Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
        Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
        Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
--More--
Log Buffer (4096 bytes):
router#
If you have some more information. Please tell me.
Thank you for your advice

It looks like your script has an error. You have an extra '}'. It should be:
# VPN_Error.tcl This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic       # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs {    if { $msg == $fac_sev_mnem } {        return ""    } } return $::orig_msg

Is QOS causing IPSEC replay errors?

Should there be a "service-policy" command on the outbound interface when using the "qos pre-classify" under the crypto map?
I have several point-to-point links that use both the qos pre-classify and the service-policy on the interface, and all those links generate %CRYPTO-4-PKT_REPLAY_ERR errors under load.
Other links that only encrypt are not getting the %CRYPTO-4-PKT_REPLAY_ERR errors under load.
The documentation for QOS and VPN: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ac4.html
Only states to use the "qos pre-classify" ???
I believe the packets are going through the QOS process twice. Once before encryption, and then again afterward resulting in the resequencing.

Hi,
IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
HTH,
-Kanishka

Unable to Decrypt the data properly using javax.crypto class and SunJCE

Hello all,
I am not new to Java but new to this forums
but and JCE and i wanted to write a program that Encrypts a file and also another program that decrypts it. As far Encryption is concerned i have been successful but When it comes to Decryption things aren't looking bright i have some or the other Problem with it. plz help me out .
Here is the Code for my Programs
Encryption
Code:
import java.io.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;
import java.security.*;
import javax.swing.*;
class MyJCE
public static void main(String args[])throws Exception
Provider sunjce = new com.sun.crypto.provider.SunJCE();
Security.addProvider(sunjce);
JFileChooser jfc = new JFileChooser();
int selection= jfc.showOpenDialog(null);
if(selection==JFileChooser.APPROVE_OPTION)
FileInputStream fis = new FileInputStream(jfc.getSelectedFile());
System.out.println("Selected file " + jfc.getSelectedFile());
try{
KeyGenerator kg = KeyGenerator.getInstance("DESede");
SecretKey key= kg.generateKey();
byte[] mkey=key.getEncoded();
System.out.println(key);
SecretKeySpec skey = new SecretKeySpec(mkey, "DESede");
Cipher cipher=Cipher.getInstance("DESede/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE,skey);
byte[] data= new byte[fis.available()];
//reading the file into data byte array
byte[] result= cipher.update(data);
byte[] enc= new byte [fis.read(result)];
System.out.println("Encrypted =" + result);
File fi= new File("/home/srikar/Encrypted");
FileOutputStream fos= new FileOutputStream(fi);
fos.write(enc);
fos.close();
byte[] encodedSpeckey = skey.getEncoded();
FileOutputStream ks= new FileOutputStream("./key.txt");
ks.write(encodedSpeckey);
System.out.println("Key written to a file");
}//try
catch(Exception ex)
ex.printStackTrace();
}//catch
}This Creates a Encrypted File. and a Encrypted key.txt
Code:
import java.io.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;
import java.security.*;
import javax.swing.*;
class Decrypt
public static void main(String[] args)
try
JFileChooser jfc = new JFileChooser();
int selection= jfc.showOpenDialog(null);
if(selection==JFileChooser.APPROVE_OPTION)
FileInputStream fis = new FileInputStream(jfc.getSelectedFile());
System.out.println("Selected file " + jfc.getSelectedFile());
//Read from the Encrypted Data
int ll= (int)jfc.getSelectedFile().length();
byte[] buffer = new byte[ll];
int bytesRead=fis.read(buffer);
byte[] data= new byte[bytesRead];
System.arraycopy(buffer,0,data,0,bytesRead);
//Read the Cipher Settings
FileInputStream rkey= new FileInputStream("./key.txt");
bytesRead = rkey.read(buffer);
byte[] encodedKeySpec=new byte[bytesRead];
System.arraycopy(buffer,0,encodedKeySpec,0,bytesRead);
//Recreate the Secret Symmetric Key
SecretKeySpec skeySpec= new SecretKeySpec(encodedKeySpec,"DESede");
//create the cipher for Decrypting
Cipher cipher = Cipher.getInstance("DESede/ECB/NoPadding");
cipher.init(Cipher.DECRYPT_MODE,skeySpec);
byte[] decrypted= cipher.update(data);
FileOutputStream fos= new FileOutputStream("/home/srikar/Decrypted");
fos.write(decrypted);
}//if
}//try
catch(Exception e)
e.printStackTrace();
}//catch
}//main
}//classthis Decrypt.java is expected to decrypt the above encrypted file but this simply creates a plaintext file of the same size as the Encrypted file but its contents are unreadable.
Or I endup with Exceptions like BadPadding or IllegalBlockSize Exception if i use any other Algorithm .
Please help out
thanx in advance

Srikar2871 wrote:
Well thanx for ur reply but
As i said there are No issues with ENCRYPTION and am getting an Encrypted file exactly of the same size as that of the original file and NOT as null bytes and Even am able to get a Decrypted file of again the same size of the Encrypted File but this time that data inside is in unreadable format.I ran your code EXACTLY* as posted and the contents of the file when viewed in a Hex editor was
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00So unless you are running different code to what you have posted, your file will look the same.
Cheers,
Shane

SAP Java Crypto Toolkit was not found

Hi,
I m trying to install Netweaver 7.0 BI and portal with SR3 package. Installation is Cluster installation on windows 2008 and sql 2008 platform. When I came to Centarl instance installtion. On Start Java Phase I had the error. I put the error below. I check the notes Note 1071472 - FileSystem SecureStore connection issues, Note 914818 - JSPM: Could not detect database, Note 1154133 - JSPM: SAP Java Crypto Toolkit was not found.
Thank you For your Help.
Bootstrap MODE:
<INSTANCE GLOBALS>
determined by parameter [ID0276347].
Exception occurred:
com.sap.engine.bootstrap.SynchronizationException: Database initialization failed! Check database properties!
     at com.sap.engine.bootstrap.Bootstrap.initDatabaseConnection(Bootstrap.java:476)
     at com.sap.engine.bootstrap.Bootstrap.<init>(Bootstrap.java:146)
     at com.sap.engine.bootstrap.Bootstrap.main(Bootstrap.java:971)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at com.sap.engine.offline.OfflineToolStart.main(OfflineToolStart.java:81)
==[ Caused by: ]==----
com.sap.engine.frame.core.configuration.ConfigurationException: Error while connecting to DB.
     at com.sap.engine.core.configuration.impl.persistence.rdbms.DBConnectionPool.<init>(DBConnectionPool.java:115)
     at com.sap.engine.core.configuration.impl.persistence.rdbms.PersistenceHandler.<init>(PersistenceHandler.java:38)
     at com.sap.engine.core.configuration.impl.cache.ConfigurationCache.<init>(ConfigurationCache.java:149)
     at com.sap.engine.core.configuration.bootstrap.ConfigurationManagerBootstrapImpl.init(ConfigurationManagerBootstrapImpl.java:236)
     at com.sap.engine.core.configuration.bootstrap.ConfigurationManagerBootstrapImpl.<init>(ConfigurationManagerBootstrapImpl.java:49)
     at com.sap.engine.bootstrap.Synchronizer.<init>(Synchronizer.java:74)
     at com.sap.engine.bootstrap.Bootstrap.initDatabaseConnection(Bootstrap.java:473)
     at com.sap.engine.bootstrap.Bootstrap.<init>(Bootstrap.java:146)
     at com.sap.engine.bootstrap.Bootstrap.main(Bootstrap.java:971)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at com.sap.engine.offline.OfflineToolStart.main(OfflineToolStart.java:81)
Caused by: com.sap.sql.log.OpenSQLException: Error while accessing secure store: Encryption or decryption is not possible because the full version of the SAP Java Crypto Toolkit was not found (iaik_jce.jar is required, iaik_jce_export.jar is not sufficient) or the JCE Jurisdiction Policy Files don't allow the use of the "PbeWithSHAAnd3_KeyTripleDES_CBC" algorithm..
     at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:106)
     at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:145)
     at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:226)
     at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
     at com.sap.engine.core.configuration.impl.persistence.rdbms.DBConnectionPool.<init>(DBConnectionPool.java:112)
     ... 13 more
Caused by: com.sap.security.core.server.secstorefs.NoEncryptionException: Encryption or decryption is not possible because the full version of the SAP Java Crypto Toolkit was not found (iaik_jce.jar is required, iaik_jce_export.jar is not sufficient) or the JCE Jurisdiction Policy Files don't allow the use of the "PbeWithSHAAnd3_KeyTripleDES_CBC" algorithm.
     at com.sap.security.core.server.secstorefs.SecStoreFS.openExistingStore(SecStoreFS.java:1975)
     at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:802)
     at com.sap.sql.connect.OpenSQLConnectInfo.lookup(OpenSQLConnectInfo.java:783)
     at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:209)
     ... 15 more
Caused by: javax.crypto.NoSuchPaddingException: Padding 'PKCS5Padding' not implemented.
     at iaik.security.cipher.w.engineSetPadding(Unknown Source)
     at iaik.security.cipher.PbeWithSHAAnd3_KeyTripleDES_CBC.<init>(Unknown Source)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
     at java.lang.Class.newInstance0(Class.java:308)
     at java.lang.Class.newInstance(Class.java:261)
     at javax.crypto.SunJCE_b.a(DashoA12275)
     at javax.crypto.SunJCE_b.a(DashoA12275)
     at javax.crypto.Cipher.a(DashoA12275)
     at javax.crypto.Cipher.getInstance(DashoA12275)
     at com.sap.security.core.server.secstorefs.Crypt.<init>(Crypt.java:220)
     at com.sap.security.core.server.secstorefs.SecStoreFS.<init>(SecStoreFS.java:1346)
     at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:798)
     ... 17 more
[Bootstrap module]> Problem occurred while performing synchronization.

Hi
> > Caused by: com.sap.sql.log.OpenSQLException: Error while accessing secure store: Encryption or decryption is not possible because the full version of the SAP Java Crypto Toolkit was not found (iaik_jce.jar is required, iaik_jce_export.jar is not sufficient) or the JCE Jurisdiction Policy Files don't allow the use of the "PbeWithSHAAnd3_KeyTripleDES_CBC" algorithm..
>      at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:106)
>      at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:145)
>      at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:226)
>      at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
>      at com.sap.engine.core.configuration.impl.persistence.rdbms.DBConnectionPool.<init>(DBConnectionPool.java:112)
It looks like the JCE file which you have downloaded is not the correct one. As you can see some jar files are missing. Check JCE files.
Check SAP Note 1240081 - "Java Cryptography Extension Jurisdiction Policy" files
Thanks
Sunny

Issue with multiple crypto isakmp policies

Hey folks,
I'm having an issue setting up multiple crypto isakmp policies on my 1921 router. Whenever I have only one crypto isakmp policy set up like so:
crypto isakmp policy 1
encr aes 256
group 5
It works perfectly fine with my certificate tunnel group in my ASA. When I debug crypto ipsec & debug crypto isakmp and watch the connection, I see this:
ISAKMP transform 1 against priority 1 policy
*Oct 7 20:04:09.263: ISAKMP:      encryption AES-CBC
*Oct 7 20:04:09.263: ISAKMP:      keylength of 256
*Oct 7 20:04:09.263: ISAKMP:      hash SHA
*Oct 7 20:04:09.263: ISAKMP:      default group 5
*Oct 7 20:04:09.263: ISAKMP:      auth RSA sig
*Oct 7 20:04:09.263: ISAKMP:      life type in seconds
*Oct 7 20:04:09.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 20:04:09.263: ISAKMP:(0):atts are acceptable. Next payload is 0
This is showing me that the handshake is verifying the policy with the "auth RSA sig" type, which is what I expected and is what I want.
Here is where my issue actually comes up. When I add another crypto isakmp policy (2) the "authorization pre-share" over rides the "authorization rsa-sig" of policy 1. Here is what I have set up:
crypto isakmp policy 1
encr aes 256
group 5
crypto isakmp policy 2
encr aes 256
authorization pre-share
group 5
This is showing me that crypto isakmp policy 1 is set with the default authorization type of rsa-sig (in fact if I manually enter that command under the policy 1 configuration mode and it doesn't print in the show run output), and the crypto isakmp policy 2 is set to authorization pre-share.
When I debug crypto ipsec & debug crypto isakmp with this configuration, this is what I'm getting:
56:46.259: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 199.46.128.5)
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 7 19:56:46.263: ISAKMP:      encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP:      keylength of 256
*Oct 7 19:56:46.263: ISAKMP:      hash SHA
*Oct 7 19:56:46.263: ISAKMP:      default group 5
*Oct 7 19:56:46.263: ISAKMP:      auth pre-share
*Oct 7 19:56:46.263: ISAKMP:      life type in seconds
*Oct 7
19:56:46.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 19:56:46.263: ISAKMP:(0):Authentication method offered does not match policy!
*Oct 7 19:56:46.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 7 19:56:46.263: ISAKMP:      encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP:      keylength of 256
*Oct 7 19:56:46.263: ISAKMP:      hash SHA
*Oct 7 19:56:46.263: ISAKMP:
default group 5
*Oct 7 19:56:46.263: ISAKMP:      auth pre-share
*Oct 7 19:56:46.263: ISAKMP:      life type in seconds
*Oct 7 19:56:46.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
It looks like the first policy is being verified against "auth pre-share" and fails because "Authentication method offered does not match policy!". My question is, does anyone know how to correct this so that the first policy is set to authenticate via rsa-sig and the second policy is authenticated via pre-shared keys? Is there a bug that will not differentiate the authorization types between the two policies?
Just an FYI, here is the version information of the router:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 26-Feb-13 02:11 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
System returned to ROM by power-on
System image file is "usbflash0:c1900-universalk9-mz.SPA.152-4.M3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
Processor board ID FTX171385L4
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO1921/K9
Technology Package License Information for Module:'c1900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
data          None          None           None
Configuration register is 0x2102

Thanks for the input Walter. That isn't it though. I have plenty of sites with crypto map <name> 1 which map to crypto isakmp policy 2 settings. The debug is showing that the behavior is to try to authenticate through policy 1 first, and then progress to any other policies until there is a match. Since there is a match with policy 2 settings, the tunnel comes up.
My real question is, why would it change from "auth RSA sig" in the first debug out put to the "auth pre-share" in the second debug output. Judging by the config on the router, it appears to me that the line for "authorization pre-share" under policy 2 SHOULD only apply to policy 2 and SHOULD NOT override the "authorization rsa-sig" of policy 1.
Again, when I debug crypto ipsec & debug crypto isakmp, it shows clearly that the first policy is being verified, however the "auth" is now "pre-share" and no longer "RSA sig":
56:46.259: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 199.46.128.5)
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 7 19:56:46.263: ISAKMP:      encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP:      keylength of 256
*Oct 7 19:56:46.263: ISAKMP:      hash SHA
*Oct 7 19:56:46.263: ISAKMP:      default group 5
*Oct 7 19:56:46.263: ISAKMP:      auth pre-share     <---This should read "auth RSA sig"
*Oct 7 19:56:46.263: ISAKMP:      life type in seconds
*Oct 7
19:56:46.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 19:56:46.263: ISAKMP:(0):Authentication method offered does not match policy!
*Oct 7 19:56:46.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 7 19:56:46.263: ISAKMP:      encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP:      keylength of 256
*Oct 7 19:56:46.263: ISAKMP:      hash SHA
*Oct 7 19:56:46.263: ISAKMP:
default group 5
*Oct 7 19:56:46.263: ISAKMP:      auth pre-share
*Oct 7 19:56:46.263: ISAKMP:      life type in seconds
*Oct 7 19:56:46.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80

Compatibility between Java crypto and open ssl

Hello
I have some question about compatibility between java crypto and openssl library.
This is my case:
1.I created DESede key and stored it to file:
SecretKey key = KeyGenerator.getInstance("TripleDES").generateKey();
File f = new File("c:\\key.dat");
DataOutputStream dos =new DataOutputStream(new FileOutputStream(f));
dos.write(key.getEncoded());
dos3.close();2.I encrypt some file "c:\\normal.dat" through:
ecipher.init(Cipher.ENCRYPT_MODE, key2);
byte[] enc = ecipher.doFinal(normalData);
File f2 = new File("c:\\enc.dat");
DataOutputStream dos =new DataOutputStream(new FileOutputStream(f2));
dos.write(enc);
dos.close();

You have carefully left out some critical java code, namely the Cipher.getInstance() method. You'll notice in the documentation for this method that there 3 components to the "transform" argument of this method, the algorithm, the mode, and the padding. All of these must match exactly with the what openssl is using. Furthermore, if you are using one of the modes which require an IV, like CBC mode, then this must match exactly too. If you don't explicitly specify some of these parameters, you might get default values supplied. It is up to you to find out what these are.

I'm trying to use import com.adobe.crypto.* on Windows version of my App but get error 1172:Definition com.adobe.crypto could not be found

The Mac version of my Air app works fine, so does the iPad version, but the PC version has been a bit of a nightmare.
I keep getting the error "1172:Definition com.adobe.crypto could not be found", when I publish it.
Basically the 'com' folder is in the same directory as the app I am publishing and within that is 'adobe' and within that is 'crypto' within that is a series of .as files.
I've added C:\Users\Gary\Documents\My_Applications\My_App_folder\com\adobe\crypto to source path list (I have no idea if that's right).
But that just gives me a different error 5001: The name of package com.adobe.crypto does not reflect the location of this file. Please change the package definitions name inside the file.......
I didn't have to include this source in the Mac version... but someone seemed to suggest it on a forum.
I'm basically stabbing in the dark at the mount, something I seem to be doing a lot of these days. :-(
Any help would be greatly appreciated.
Many Thanks
Gary

I've figured it out
Turns out I needed to add a source path (in the Actionscript 3 settings click on the Source File Tab) that exactly matches the directory the app and com folder is inside of. I wrongly assumed that Adobe Air could figure out where it was for itself, but no.... it needs to be told where to look for the com folder even though it's staring it right in its face. (Don't set the path to the 'com' folder itself, but to the enclosing folder that the .fla and the com is in).
The Mac version doesn't seem to need that, it just finds the com folder if it's inside the same folder.
Now I've got another massive error:-
When I test the app, it works fine sending to Air for Desktop, however when I publish with embedded runtime for Windows.... It comes up with this error.
Any ideas ?

Multiple Crypto Maps on Single Outside Interface

Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni

%CRYPTO-4-PKT_REPLAY_ERR:

Similar Messages

Maybe you are looking for