Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Anti-Replay Window

 

On SRX Series devices, anti-replay-window is enabled by default with a window size value of 64.

On the SRX Series 5000 line of devices with SPC3 cards installed, you can configure the anti-replay-window size in the range of 64 to 8192 (power of 2). To configure the window size, use the new anti-replay-window-size option. An incoming packet is validated for replay attack based on the anti-replay-window-size that is configured.

You can configure replay-window-size at two different levels:

  • Global level—Configured at the [edit security ipsec] hierarchy level.

    For example:

  • VPN object—Configured at the [edit security ipsec vpn vpn-name ike] hierarchy level.

    For example:

If anti-replay is configured at both levels, the window size configured for a VPN object level takes precedence over the window size configured at the global level. If anti-replay is not configured, the window size is 64 by default.

To disable the anti-replay window option on a VPN object, use the set no-anti-replay command at the [edit security ipsec vpn vpn-name ike] hierarchy level. You cannot disable anti-replay at the global level.

You cannot configure both anti-replay-window-size and no-anti-replay on a VPN object.