cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9427
Views
0
Helpful
9
Replies

ASA ESP Packet discard messages

Dear All,

we have a L2L tunnel between ASA 8.2.5 to Cisco Router. Recently we see tunnel is going down and shows messages in ASA about ESP packet discard. Below is the message.

%ASA-7-710006: ESP request discarded from x.x.x.x to outside_int:x.x.x

                

At the same time from router the tunnel shows up but ASA not. We see CSCso50226 which matches exactly with our issue.

As a workaround we were resetting tunnel from router. It comes up and runs for a week.

Please someone look into this and help.

Regards,

Ravi

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

what version of ASA are you running?

have you tried to upgrade the ASA to the fixed version if you haven't.

ASA version : 8.2.5

i think this is the last version in series with old NAT confiurations

We use ASA only for site to site tunnels.

Situation: We see these messages from only one peer router and at the same time they(router end) see issue only with us. All other tunnels work fine for both the parties. Can we check something from router front?

Doesn't seems to be bug ,Can you post your configuration related to VPN.

With Regards,

Safwan

ju_mobile
Level 1
Level 1

If you have a known bug, please upgrade to a software version not affected by the bug. Version 8.2(5) is one of the most unstable versions with randomness in connectivity.

Best Regards

Ju

Sent from Cisco Technical Support iPad App

Ju:

The known bug is not affected with our IOS version.

And if we upgrade(8.3 or 8.4 or 9.0), we may need to change some configuration related to NAT?

Safu030: Tunnel configuration is fine.

Hi Ravi,

8.4 is great, dont let the NAT change scare you off two much and 8.2 was really buggy.

I guess this raises further questions, if your tunnel goes down once a week is it the same length of time ? and does this relate to the timings set on either end in teh configuration ?

When the tunnel goes down is it at a quiet time ? and have you tried using a test ping/rtr/sla to keep the tunnel up ?

The site below identifies the syslog messages and yours makes me think somethings not right. Do you have the sysoptions enabled or are you using ACL's to limit who can connect to the appliance as a vpn peer ? If you have ACL's have you included IP 50 ?

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

710006

Error Message    %ASA-7-710006: protocol request discarded from source_address to 
interface_name:dest_address

Explanation This message appears when the adaptive security appliance does not have an IP server that services the IP protocol request; for example, the adaptive security appliance receives IP packets that are not TCP or UDP, and the adaptive security appliance cannot service the request.

Recommended Action In networks that use broadcasting services such as DHCP, RIP or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.

Best Regards

Ju

http://helpamunky.wordpress.com/

we will check about upgrade but need to know the cause to proceed as have many tunnels and should do with no downtime .

and It's not the same length of time. Sometimes goes down for every two days. It's been two days now the reset was done.

tunnle was down suddenly at normal working hours, and this is 24/7 as IT helpdesk works through tunnel remotely. as i knew keepalives by default should check for this using DPDs.

Syslog message recomendation confuses..How broadcasting services come into ipsec l2l tunnel? packet is ESP.

The discard is not by ACL. correct me if am wrong.

Any help?

Hi Ravi,

As your syslog message is at debugging %ASA-7- there could be a myriad of other messages that are pertinent and would need to be considered to identify the cause. ESP is IP 50 and not TCP or UDP. In your VPN conection do you have the sysopt enabed to bypass local ACL's for IPSEC VPN's?

If you run a constant ping from end to end does the issue still happen ?

Regards

ju

http://helpamunky.wordpress.com/

i remember sysopt is enabled by default and can see it is present.

SAA-S2S-VPN# sh run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

At the time of issue, they did ping to protected IP but no reply. ASA was reachable.

Thinking, why router is keep sending ESP packets while there is no phase one1 in ASA.

we are trying to increase keepalives.