IPsec Performance Impacted When Replay Protection is Enabled

• Lower than expected throughput experienced on IPsec tunnel.
• Higher the latency between client and server, the greater the performance impact.
• You will notice the following global counter "flow_tunnel_ipsec_replay_err" statistic

> show counter global filter packet-filter yes delta yes 

Global counters:
Elapsed time since last sampling: 180.93  seconds

name                            value  rate  severity  category  aspect    description
----------------------------------------------------------------------------------------------
flow_tunnel_ipsec_replay_err    105     5     drop      flow    tunnel     Packet dropped: header sequence number is a replay

• Palo Alto Firewall
• PAN-OS
• IPsec tunnel

• Encrypted packets will be assigned with unique sequence number. On the receiving end when decrypted these sequence number will be check for sequence window size 64. If the received packet falls out of the window sequence check it will be dropped with global counter reason shown above.
• This could happen due to packet drops happen in transit or sometime on the encryption side the sequence number happens to be out of window size. 
• Few drops due to replay error during fast transfers and depending on latency can result in tunnel throughput performance. 
   

1. To resolve the issue configure the Anti Replay Window size on the Firewall.
2. Gradually increase the window size from the default of 1024 to higher till the drops are not seen.