12-09-2012 09:14 AM
Dear All,
we have a L2L tunnel between ASA 8.2.5 to Cisco Router. Recently we see tunnel is going down and shows messages in ASA about ESP packet discard. Below is the message.
%ASA-7-710006: ESP request discarded from x.x.x.x to outside_int:x.x.x
At the same time from router the tunnel shows up but ASA not. We see CSCso50226 which matches exactly with our issue.
As a workaround we were resetting tunnel from router. It comes up and runs for a week.
Please someone look into this and help.
Regards,
Ravi
12-10-2012 08:25 AM
what version of ASA are you running?
have you tried to upgrade the ASA to the fixed version if you haven't.
12-10-2012 11:00 AM
ASA version : 8.2.5
i think this is the last version in series with old NAT confiurations
We use ASA only for site to site tunnels.
Situation: We see these messages from only one peer router and at the same time they(router end) see issue only with us. All other tunnels work fine for both the parties. Can we check something from router front?
12-10-2012 11:45 AM
Doesn't seems to be bug ,Can you post your configuration related to VPN.
With Regards,
Safwan
12-10-2012 03:07 PM
If you have a known bug, please upgrade to a software version not affected by the bug. Version 8.2(5) is one of the most unstable versions with randomness in connectivity.
Best Regards
Ju
Sent from Cisco Technical Support iPad App
12-10-2012 11:27 PM
Ju:
The known bug is not affected with our IOS version.
And if we upgrade(8.3 or 8.4 or 9.0), we may need to change some configuration related to NAT?
Safu030: Tunnel configuration is fine.
12-11-2012 12:10 AM
Hi Ravi,
8.4 is great, dont let the NAT change scare you off two much and 8.2 was really buggy.
I guess this raises further questions, if your tunnel goes down once a week is it the same length of time ? and does this relate to the timings set on either end in teh configuration ?
When the tunnel goes down is it at a quiet time ? and have you tried using a test ping/rtr/sla to keep the tunnel up ?
The site below identifies the syslog messages and yours makes me think somethings not right. Do you have the sysoptions enabled or are you using ACL's to limit who can connect to the appliance as a vpn peer ? If you have ACL's have you included IP 50 ?
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
710006
Error Message %ASA-7-710006: protocol request discarded from source_address to interface_name:dest_address
Explanation This message appears when the adaptive security appliance does not have an IP server that services the IP protocol request; for example, the adaptive security appliance receives IP packets that are not TCP or UDP, and the adaptive security appliance cannot service the request.
Recommended Action In networks that use broadcasting services such as DHCP, RIP or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.
Best Regards
Ju
12-11-2012 06:11 AM
we will check about upgrade but need to know the cause to proceed as have many tunnels and should do with no downtime .
and It's not the same length of time. Sometimes goes down for every two days. It's been two days now the reset was done.
tunnle was down suddenly at normal working hours, and this is 24/7 as IT helpdesk works through tunnel remotely. as i knew keepalives by default should check for this using DPDs.
Syslog message recomendation confuses..How broadcasting services come into ipsec l2l tunnel? packet is ESP.
The discard is not by ACL. correct me if am wrong.
Any help?
12-11-2012 06:22 AM
Hi Ravi,
As your syslog message is at debugging %ASA-7- there could be a myriad of other messages that are pertinent and would need to be considered to identify the cause. ESP is IP 50 and not TCP or UDP. In your VPN conection do you have the sysopt enabed to bypass local ACL's for IPSEC VPN's?
If you run a constant ping from end to end does the issue still happen ?
Regards
ju
12-11-2012 06:56 AM
i remember sysopt is enabled by default and can see it is present.
SAA-S2S-VPN# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
At the time of issue, they did ping to protected IP but no reply. ASA was reachable.
Thinking, why router is keep sending ESP packets while there is no phase one1 in ASA.
we are trying to increase keepalives.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide