Hi all,
There following Kb addressing the replay errors on srx.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29580
3 hubs and more than 200 spokes there are. In line with the KB, the statement -set security vpn name ike no-anti-replay should be configured to current Ipsec vpn configuration on both hubs and spokes to avoid anti--replay errors.
Can I ask what is the best to deploy this statement...It is really pain to inject it into every sub st0 interfaces...Is there acceptable way to inject globally that effecting all sub st0 interfaces on hub and spoke devices?
RT_IPSEC: RT_IPSEC_REPLAY: Replay packet detected on IPSec tunnel on ge-1/0/1.0 with tunnel ID 0x4000118! From 55.10.11.50 to 100.220.220.150/552, ESP, SPI 0x6bba160c, SEQ 0x5f29
Thanks,
A.