SRX550 Chassis Cluster established an IPsec VPN with Hillstone SG-6000-E3960.
When the IPSec SA just initialized, the traffic flows, then, after a couple of minutes or seconds, ping or other traffic stopping flow,
On SRX, the Replay errors counter increment very rapidly when I ‘show security ipsec statistics’. All the ESP packet received from Hillstone be marked as replay error.
Use Wireshark to view the pcap file from external interface and the ESP sequence number looks fine.
When clear the current ipsec sa then new sa was built, traffic flow can recovery for a short time, after then, replay error happens again......
In all above situation phase 1 and 2 SA is up.
Now I have to set no-anti-replay in ipsec setting on SRX550
SRX550 version: 12.3X48-D75.4(recommended by JTAC now)
Hillstone version: SG6000-M-3-5.0R4P7-v6 (maybe obsolete?)
On SRX550, several other VPNs connected to some branches are working fine and Hillstone SG6000 is also like this
What is the possible reason of replay error on SRX and how can I debug it?
Any help would be appreciated.