https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/228918#M44095 <P>Response from TAC:</P><OL><LI><P>Connect with SmartConsole to the Security Management Server / Domain Management Server.</P></LI><LI><P>Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).</P><P>Verify by running the "<EM>cpstat mg</EM>" command on Security Management Server / in the context of&nbsp;<EM>each</EM>&nbsp;Domain Management Server.</P></LI><LI><P>Connect with&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk13009" target="_blank" rel="noopener">GuiDBedit Tool</A>&nbsp;to the Security Management Server / Domain Management Server.</P></LI><LI><P>In the upper left pane, go to&nbsp;<EM><STRONG>Table</STRONG></EM>&nbsp;-&nbsp;<EM><STRONG>Network Objects</STRONG></EM>&nbsp;-&nbsp;<EM><STRONG>network_objects</STRONG></EM>.</P></LI><LI><P>In the upper right pane, select the relevant Security Gateway / Cluster object.</P></LI><LI><P>Press CTRL+F (or go to&nbsp;<EM><STRONG>Search</STRONG></EM>&nbsp;menu -&nbsp;<EM><STRONG>Find</STRONG></EM>) - paste&nbsp;<EM><STRONG>ipsec.replay_counter_window_size</STRONG></EM>&nbsp;- click on&nbsp;<EM><STRONG>Find Next</STRONG></EM>.</P></LI><LI><P>In the lower pane, right-click on the&nbsp;<EM><STRONG>ipsec.replay_counter_window_size</STRONG></EM>&nbsp;- select&nbsp;<EM><STRONG>Edit...</STRONG></EM>&nbsp;- delete the default value of 64 - enter the relevant value - click on&nbsp;<EM><STRONG>OK</STRONG></EM>.</P></LI><LI><P>Save the changes: go to&nbsp;<EM><STRONG>File</STRONG></EM>&nbsp;menu - click on&nbsp;<EM><STRONG>Save All</STRONG></EM>.</P></LI><LI><P>Close the GuiDBedit Tool.</P></LI><LI><P>Connect with SmartConsole to the Security Management Server / Domain Management Server.</P></LI><LI><P>Install the policy onto the relevant Security Gateway / Cluster object.</P></LI></OL><P><SPAN>Keep in mind that the default value is 64, and there is no desired value - you will need to lower or higher it until it reaches the correct value where this issue does not re-appear.</SPAN></P> Fri, 04 Oct 2024 07:57:09 GMT isazonov 2024-10-04T07:57:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122345#M17513 <P>Hi,<BR />could someone direct me how I can adjust the setting to avoid VPN Tunnel termination due to "possible replay attack".<BR /><BR />I do have the issue described in sk94984. The issue exists only for one Tunnel. The issue is gone when I disable the replay check. Now I wanted to turn it back on and adjust the window size. In the SK they only say to adjust it to the relevant value.</P><P>In the logs I do have the message:</P><P>Warning: possible replay attack. Sequence Number 1490945 (Expected 1491179)</P><P>Currently I used 1200 as window size but the tunnel is still being terminated.</P><P>&nbsp;</P><P>How can I determine / calculate the value? Seem that it isn’t just 1491179-1490945</P><P>Thanks</P><P>R80.40 T94</P> Mon, 28 Jun 2021 10:25:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122345#M17513 Florian_Schneid 2021-06-28T10:25:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122355#M17514 <P>Better use the information found in&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk94984&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk94984: VPN traffic is dropped with "Encryption failure: Warning: possible replay attack" log</A>&nbsp;and involve TAC if this does not help.&nbsp;</P> Mon, 28 Jun 2021 12:51:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122355#M17514 G_W_Albrecht 2021-06-28T12:51:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122357#M17515 <P>Hi Günter,<BR /><BR />as mentioned above I followed the SK94984. But i didn't want to have the reply check disabled in general. So i decided to do the route descibed in the additional part of the SK and adjust the window size. I did adjust it to 1200 the log shows it triggered even it was only 234 as from the logs.</P><P>regards</P><P>Florian</P> Mon, 28 Jun 2021 12:59:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122357#M17515 Florian_Schneid 2021-06-28T12:59:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122364#M17516 <P>So i would suggest to involve TAC !</P> Mon, 28 Jun 2021 13:48:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122364#M17516 G_W_Albrecht 2021-06-28T13:48:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/228918#M44095 <P>Response from TAC:</P><OL><LI><P>Connect with SmartConsole to the Security Management Server / Domain Management Server.</P></LI><LI><P>Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).</P><P>Verify by running the "<EM>cpstat mg</EM>" command on Security Management Server / in the context of&nbsp;<EM>each</EM>&nbsp;Domain Management Server.</P></LI><LI><P>Connect with&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk13009" target="_blank" rel="noopener">GuiDBedit Tool</A>&nbsp;to the Security Management Server / Domain Management Server.</P></LI><LI><P>In the upper left pane, go to&nbsp;<EM><STRONG>Table</STRONG></EM>&nbsp;-&nbsp;<EM><STRONG>Network Objects</STRONG></EM>&nbsp;-&nbsp;<EM><STRONG>network_objects</STRONG></EM>.</P></LI><LI><P>In the upper right pane, select the relevant Security Gateway / Cluster object.</P></LI><LI><P>Press CTRL+F (or go to&nbsp;<EM><STRONG>Search</STRONG></EM>&nbsp;menu -&nbsp;<EM><STRONG>Find</STRONG></EM>) - paste&nbsp;<EM><STRONG>ipsec.replay_counter_window_size</STRONG></EM>&nbsp;- click on&nbsp;<EM><STRONG>Find Next</STRONG></EM>.</P></LI><LI><P>In the lower pane, right-click on the&nbsp;<EM><STRONG>ipsec.replay_counter_window_size</STRONG></EM>&nbsp;- select&nbsp;<EM><STRONG>Edit...</STRONG></EM>&nbsp;- delete the default value of 64 - enter the relevant value - click on&nbsp;<EM><STRONG>OK</STRONG></EM>.</P></LI><LI><P>Save the changes: go to&nbsp;<EM><STRONG>File</STRONG></EM>&nbsp;menu - click on&nbsp;<EM><STRONG>Save All</STRONG></EM>.</P></LI><LI><P>Close the GuiDBedit Tool.</P></LI><LI><P>Connect with SmartConsole to the Security Management Server / Domain Management Server.</P></LI><LI><P>Install the policy onto the relevant Security Gateway / Cluster object.</P></LI></OL><P><SPAN>Keep in mind that the default value is 64, and there is no desired value - you will need to lower or higher it until it reaches the correct value where this issue does not re-appear.</SPAN></P> Fri, 04 Oct 2024 07:57:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/228918#M44095 isazonov 2024-10-04T07:57:09Z