03-31-2022 11:10 AM
Getting this error on a production site to site VPN when it comes with a Phase 2 mismatch (see attached config):
%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)]
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)]
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]
A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.
03-31-2022 09:23 PM
post the real Log message - we are aware of this ASA log 106023 with an explanation.
Tell what ASA device model, what code running here ? what is other side of the device :
there is also given recommendation - have you taken any action :
Recommended Action If messages persist from the same source address, footprinting or port scanning attempt might be occurring. Contact the remote host administrator.
04-01-2022 07:13 AM
04-06-2022 06:15 AM
@balaji.bandi were you able to look at the config and prior message.
04-06-2022 10:45 AM
Is this a question about the VPN not being established or the ACL deny log?
The VPN is not being established because there is a mismatch in the crypto ACL (most likely).
04-06-2022 11:10 AM
@Marius Gunnerud Correct the VPN lost it's connection during phase 2 as phase 1 connects. Would me configuring a RAVPN have anything to do with this? I was told it wouldn't as all other site to site VPNs are working.
04-11-2022 08:30 AM
@balaji.bandiand @Marius Gunnerud any thoughts on this?
04-12-2022 12:17 AM
No RAVPN and S2S VPN can co-exist on the same device and configuring one does not affect the other (unless you have inadvertently changed the S2S VPN configuration during RAVPN configuration).
As I mentioned in my last post, check that your crypto domain (crypto ACL) is correct on both sides of the VPN tunnel.
04-12-2022 11:24 AM
@Marius Gunnerudand @balaji.bandi even if I used a different port for the RAVPN?
04-12-2022 11:58 AM
As already pointed out there is no matching entry in the crypto map and that is why it is not coming up.
Check your crypto map acl.
Jon
04-18-2022 10:23 AM
Issue was on the vendor's side issue was corrected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide