https://community.checkpoint.com/t5/General-Topics/VPN-reply-attack-from-trusted-sources/m-p/231840#M38741 <P>Hello,</P><P>I have more gateways on MDS, all managed by us.</P><P>They have a vpn site to site with the main gateway, with permanent tunnels.</P><P>From time to time I notices messages like this:</P><H2><FONT color="#000000"><FONT size="4">encryption_failure:&nbsp;</FONT><FONT size="4"><A href="https://splunk.acs.rolex.com:8000/fr-FR/app/UI-RLX-af_geneva/search?q=search%20index%3Dfirewall_acs_idx%20action!%3Dallowed%20replay%20encryption_failure%3D%22Warning%3A%20possible%20replay%20attack.%20Sequence%20Number%20*%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-30d%40d&amp;latest=now&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1730884861.17905#" target="_blank" rel="noopener">Warning: possible replay attack. Sequence Number xxx (Expected yyyy)</A></FONT></FONT></H2><P>Which could be the most reasonable explaination and how to prevent it?</P><P>&nbsp;</P><P>Another question: what about a real attack from untrusted source, is there any hardening or the normal secury sequence check is enough?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Nov 2024 09:41:28 GMT Ilovecheckpoint 2024-11-06T09:41:28Z https://community.checkpoint.com/t5/General-Topics/VPN-reply-attack-from-trusted-sources/m-p/231840#M38741 <P>Hello,</P><P>I have more gateways on MDS, all managed by us.</P><P>They have a vpn site to site with the main gateway, with permanent tunnels.</P><P>From time to time I notices messages like this:</P><H2><FONT color="#000000"><FONT size="4">encryption_failure:&nbsp;</FONT><FONT size="4"><A href="https://splunk.acs.rolex.com:8000/fr-FR/app/UI-RLX-af_geneva/search?q=search%20index%3Dfirewall_acs_idx%20action!%3Dallowed%20replay%20encryption_failure%3D%22Warning%3A%20possible%20replay%20attack.%20Sequence%20Number%20*%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-30d%40d&amp;latest=now&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1730884861.17905#" target="_blank" rel="noopener">Warning: possible replay attack. Sequence Number xxx (Expected yyyy)</A></FONT></FONT></H2><P>Which could be the most reasonable explaination and how to prevent it?</P><P>&nbsp;</P><P>Another question: what about a real attack from untrusted source, is there any hardening or the normal secury sequence check is enough?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Nov 2024 09:41:28 GMT https://community.checkpoint.com/t5/General-Topics/VPN-reply-attack-from-trusted-sources/m-p/231840#M38741 Ilovecheckpoint 2024-11-06T09:41:28Z https://community.checkpoint.com/t5/General-Topics/VPN-reply-attack-from-trusted-sources/m-p/231843#M38742 <P><A href="https://support.checkpoint.com/results/sk/sk94984" target="_blank" rel="noopener"><SPAN>sk94984: VPN traffic is dropped with "<STRONG>Encryption failure</STRONG>: <STRONG>Warning</STRONG>: <STRONG>possible</STRONG> <STRONG>replay</STRONG> <STRONG>attack</STRONG>" log</SPAN></A></P> <P><A href="https://support.checkpoint.com/results/sk/sk111156" target="_blank" rel="noopener"><SPAN>sk111156: VPN traffic dropped with "<STRONG>Encryption failure</STRONG>: <STRONG>Warning</STRONG>: <STRONG>possible</STRONG> <STRONG>replay</STRONG> <STRONG>attack</STRONG>" log</SPAN></A></P> <P><SPAN><A href="https://community.checkpoint.com/t5/Security-Gateways/could-someone-advice-me-how-to-determine-the-value-for-quot/m-p/122345#M17513" target="_blank" rel="noopener">could someone advice me how to determine the value for "ipsec.<STRONG>replay</STRONG>_counter_window_size"</A></SPAN></P> Wed, 06 Nov 2024 10:49:22 GMT https://community.checkpoint.com/t5/General-Topics/VPN-reply-attack-from-trusted-sources/m-p/231843#M38742 G_W_Albrecht 2024-11-06T10:49:22Z