TITLE:
IPsec Tunnel Recovery from Out-of-Sequence Traffic Drop Due to Peer IPsec Stateful Switchover
AUTHORS:
Arun Raj Kaprakattu
KEYWORDS:
Component, Formatting, Style, Styling, Insert (IPsec, Ike, Esp, Stateful Redundancy, Antireplay)
JOURNAL NAME:
Journal of Computer and Communications,
Vol.13 No.6,
June
13,
2025
ABSTRACT: In an IPsec stateful high availability environment [1], synchronizing ESP sequence numbers between active and standby IPsec gateway devices is the most challenging, as these sequence numbers change with every ESP/AH packet [2]. Consider that the IPsec state synchronization occurs periodically. If a failover/switchover occurs, the difference between the last synchronized sequence number and the current sequence number on the active device exceeds the anti-replay window and then the standby device will not be aware of the last sent ESP/AH sequence number. Hence, traffic sent from the new active IPsec device uses outdated sequence numbers, which will get dropped by the remote IPsec peer if anti-replay mechanism is enabled [3]. The purpose of this document is to explain how a remote standalone IPsec peer can differentiate this from a replay attack and help a newly active IPsec peer recover from sending out-of-sequence ESP/AH traffic caused by a stateful switchover.