cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2051
Views
7
Helpful
5
Replies

Unable to telnet to ASA. "IPSEC: Received a non-IPsec..."

NInja Black
Beginner
Beginner

 

Hi,

   Recently after making changes (not sure what) to the ASA5515 at one of our branch offices I am no longer able to telnet to it. I can SSH to it can access it through ASDM but not telnet.. The logs gives me this error when I try to telnet to it from our HQ.

 


%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from 
remote_IP to local_IP.
1 Accepted Solution

Accepted Solutions

Jouni Forss
Mentor
Mentor

Hi,

 

To my understanding if you are coming from behind the external interface of the ASA and using Telnet then the ASA will block the Telnet connection attempts UNLESS the Telnet connection is coming through a secured VPN connection to the ASA. I guess the "security-level" change would fool the ASA to allow you to use Telnet but I am not really sure if there is any point to it since you should really use a secure management connection and not Telnet.

 

You could always use the "management-access" command with some internal interface and then use VPN to connect to that interface.

 

But if you have for some reason used Telnet to access the ASA without any VPN then I would suggest either only using SSH or using Telnet through a VPN connection formed to the ASA.

 

- Jouni

View solution in original post

5 Replies 5

Maykol Rojas
Cisco Employee
Cisco Employee

Hello

It had to be the security level.

It wont let you login to that interface if the security level is not 100, you may need to change it back to 100 or keep managing the ASA in that way. 

Mike.

 

Mike

Jouni Forss
Mentor
Mentor

Hi,

 

To my understanding if you are coming from behind the external interface of the ASA and using Telnet then the ASA will block the Telnet connection attempts UNLESS the Telnet connection is coming through a secured VPN connection to the ASA. I guess the "security-level" change would fool the ASA to allow you to use Telnet but I am not really sure if there is any point to it since you should really use a secure management connection and not Telnet.

 

You could always use the "management-access" command with some internal interface and then use VPN to connect to that interface.

 

But if you have for some reason used Telnet to access the ASA without any VPN then I would suggest either only using SSH or using Telnet through a VPN connection formed to the ASA.

 

- Jouni

Sorry for the late reply.

 

 I know I shouldn't use telnet but I am trying to know why it isn't working now. I was able to telnet to it before. Also I am telnetting it to a private address (Comcast provides ENS (layer 2) between our offices. This kind of makes it a VPN connection).

 HQ Router <-ENS-- >Branch office Router > Firewall.

 

 The outside security is 0 on the ASA. Please let me know if you need any more specifics.

 

As Jouni and Mike have mentioned, you can not telnet to a port that is configured with security-level 0.  This is a security restriction as telenet sends traffic in plain text.  Telnet should not be used, but if you have to use it for whatever reason, telnet traffic should only be crossing a "secure" network such as your local LAN where packet sniffing will most likely not happen (though this is still not a good reason to use telnet).

Your options for managing the firewall, again as Jouni has mentioned, is to either set up a RA VPN to the firewall, configure the management-access <interface> command and use SSH or telnet over the VPN (this is recommended when using SSH also).  Or, connect to the outside interface using SSH.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

 

Thanks guys. It was the security level. ;)

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers