cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1884
Views
0
Helpful
15
Replies

DHCP broadcasts discards on inside

James_Lay
Level 1
Level 1

Hey all,

Topic says it....I've configured my ASA to accept all traffic inside a number of different ways:

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any log disable

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 interface inside log disable

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 object ASA log disable

I still see UDP broadcasts getting discarded:

Oct 29 06:54:04 asa %ASA-5-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

Oct 29 06:54:05 asa %ASA-5-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

Side note, I see a crazy amount of discards on 443 when accessing the ASA via ASDM:

Oct 29 06:46:34 asa %ASA-5-710005: TCP request discarded from 192.168.1.2/51824 to inside:192.168.1.254/443

Oct 29 06:46:34 asa %ASA-5-710005: TCP request discarded from 192.168.1.2/51820 to inside:192.168.1.254/443

I specifically log 710005.  Tank you.

15 Replies 15

cadet alain
VIP Alumni
VIP Alumni

Hi,

your ACL statements are  inactive because of disabled keyword.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

That's actually disabling logging...

Hello James,

Yes, that is for logging purposes ( disabled keyword)

Now, the DHCP server is on a different interface correct? What is the ip address of the DHCP server, on what interface is that server located?

Can you share the following command:

show run dhcp relay

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It's blank..l don't have that set.  Thinking I should add that in?  Thank you.

Hello James,

I will be able to answer that if you answer the questions I sent you on the last post but yes I think you do need it,

Please answer that and I will provide you the configuration:

Now, the DHCP server is on a different interface correct?

What is the ip address of the DHCP server

on what interface is that server located?

Remember to rate all of the helpful posts ( if you do not know how to rate a post, just let me know I will teach you )

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ah shoot..missed them.

DHCP server is on the same switch as the Inside interface that the ASA is plugged into.  The IP of the DHCP server is 192.168.1.253, and the ASA is 192.168.1.254.  They are both in the same vlan.  HOpe that one helps.

James

Hello James Lay,

Okay, so no DHCP relay is need it,

This packets are okay ( expected )  so no worry as you are getting DHCP to work

Oct 29 06:54:04 asa %ASA-5-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

Oct 29 06:54:05 asa %ASA-5-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

Now regarding this ones right here ( this ones I do not like them)

Oct 29 06:46:34 asa %ASA-5-710005: TCP request discarded from 192.168.1.2/51824 to inside:192.168.1.254/443

Oct 29 06:46:34 asa %ASA-5-710005: TCP request discarded from 192.168.1.2/51820 to inside:192.168.1.254/443

Can you share the following:

show run ASDM

show run http

Regards,

Jul;io

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Here's the output:

ciscoasa# show run ASDM

asdm image disk0:/asdm-701.bin

no asdm history enable

ciscoasa# show run http

http server enable

http 192.168.1.0 255.255.255.0 inside

Thank you!

James

Hello,

Can you do the following:

clear configure ASDM

http server enable

http 192.168.1.0 255.255.255.0 inside

and then try to connect using ASDM?

If this does not work I would recommend you to let us have the show run of the ASA

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

I run the above commands, I still see the same thing, however I did a packet capture on the local machine, and it appears that the ASA discard the FIN ACK packet of each session...the local machine shows a FIN ACK, and the next packet is the ASA sending a RST packet.  This happens every time and I see the discard as soon as this happens.  I can access and use the ASDM just fine, but it's a little annoying seeing a bunch of logs from my own machine   Thanks for your assistance.

James

Hello James,

Okay so ASDM its working fine. So yes, basically this logs are not helpful at all.

You could stop logging them if need it, so the PC sends a FIN/ACK, good to know,

Let me know if you want to help me to stop logging this messages,

Remember to rate all of the helpful posts,( if you do not know how to do it, just let me know, I will teach you ;D)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It's ok...thanks Julio.  I just upgraded to 9.0(1) with 7.0.1 ASDM...same thing so eh...I think it's just the way Cisco does things.  Thanks again.

James

Hello James,

Okay, Great to hear I could help,

If you do not have any other question please mark it as answered so future users can learn from this,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

what is in " sh run aaa" and do u have any user created locally or u using ACS ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: