On SRX Series devices, anti-replay-window is enabled by default with a window size value of 64.
On the SRX Series 5000 line of devices with SPC3 cards installed, you can configure the anti-replay-window size in the range of 64 to 8192 (power of 2). To configure the window size, use the new anti-replay-window-size option. An incoming packet is validated for replay attack based on the anti-replay-window-size that is configured.
You can configure replay-window-size at two different levels:
Global level—Configured at the [edit security ipsec] hierarchy level.
For example:[edit security ipsec vpn vpn-name ike]user@host# set anti-replay-window-size <64..8192>;
VPN object—Configured at the [edit security ipsec vpn vpn-name ike] hierarchy level.
For example:[edit security ipsec]user@host#set anti-replay-window-size <64..8192>;
If anti-replay is configured at both levels, the window size configured for a VPN object level takes precedence over the window size configured at the global level. If anti-replay is not configured, the window size is 64 by default.
To disable the anti-replay window option on a VPN object, use the set no-anti-replay command at the [edit security ipsec vpn vpn-name ike] hierarchy level. You cannot disable anti-replay at the global level.
You cannot configure both anti-replay-window-size and no-anti-replay on a VPN object.