Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1031
Views
0
Helpful
4
Replies

Help: too many logs when using EzVPN

Go to solution
robert.huang
Level 1
Level 1

‎03-01-2016 03:55 PM

Hello,

I've set up EzVPN on ASA Version 9.2(4)5. My goal is just to use the VPN pool address (10.11.10.x) to access everywhere instead of using my laptop's real IP address. NAT is not needed on the ASA outside interface. I even didn't configure the inside interface.

Everything works as expected except for too many same syslog messages of "%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= UDP) from 10.11.10.1 to 10.11.10.255." are generated.

Configuration is shown below. Please help how I can get rid of these logs. Thanks a lot.

Robert


ip local pool EZVPN_POOL 10.11.10.1-10.11.10.254 mask 255.255.255.0
!
interface Vlan1
 nameif outside
 security-level 0
 ip address dhcp setroute
!
same-security-traffic permit intra-interface
!
crypto ipsec ikev1 transform-set VPN_TRAN esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map VPN_DYMAP 10 set ikev1 transform-set VPN_TRAN
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_DYMAP
crypto map VPN_MAP interface outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400!
group-policy PROXY_VPN_POLICY internal
group-policy PROXY_VPN_POLICY attributes
 dns-server value 8.8.8.8 4.2.2.2
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelall
!
username John password XXXXXX privilege 0
username John attributes
 vpn-group-policy PROXY_VPN_POLICY
!
tunnel-group PROXY_VPN_GROUP type remote-access
tunnel-group PROXY_VPN_GROUP general-attributes
 address-pool EZVPN_POOL
 default-group-policy PROXY_VPN_POLICY
tunnel-group PROXY_VPN_GROUP ipsec-attributes
 ikev1 pre-shared-key XXXXXX
!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-01-2016 05:51 PM

Hi robert.huang,

The error "%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= UDP) from 10.11.10.1 to 10.11.10.255." specifies that remote side is sending the traffic sourced from 10.11.10.1 to 10.11.10.255 which is not sent via IPSec tunnel. You might want to confirm this with them. 

Additionally, you can tweak the severity level of this log message and define which level of logs should be sent to your syslog server so that it does not include this, though I would not recommend it.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-01-2016 06:02 PM

Hi Robert,

I understand you are getting the following error: "CRYPTO-4-RECVD_PKT_NOT_IPSEC"

The config seems fine.

"Packet not IPsec" messages here seem to indicate we occasionally have other type of traffic (not ipsec) coming in, that the ASA expected to be

encrypted but that was not encapsulated into IPsec.

This may be due to policy routing that bypasses the VPN gateway, or a spoofed/incorrect source IP address.


In this case would be good idea set up packet captures in order to catch those packets and trace them back to their source.

Also we see that this message comes from the first IP of the pool to the 10.11.10.255 IP which is what we need to track for UDP traffic.

You can also check in the syslogs what UDP traffic is being sent for this.

Regards,

Aditya 

Please rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-01-2016 05:51 PM

Hi robert.huang,

The error "%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= UDP) from 10.11.10.1 to 10.11.10.255." specifies that remote side is sending the traffic sourced from 10.11.10.1 to 10.11.10.255 which is not sent via IPSec tunnel. You might want to confirm this with them. 

Additionally, you can tweak the severity level of this log message and define which level of logs should be sent to your syslog server so that it does not include this, though I would not recommend it.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
robert.huang
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 06:35 AM

Thanks Aditya and Dinesh for your reply.

I've attached the the whole configuration below. I used different computer to VPN in and got the IP of 10.11.10.1. I got the same message "%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= UDP) from 10.11.10.1 to 10.11.10.255." over and over again. I don't mind my computer sending packets to the broadcast address of 10.11.10.255. I just want this message not to flood my syslog. The severity level of this message is 4, I can't tweak it otherwise I will lose userful logs.

Please direct me into the right direction of how the issue can be resolved. Thanks again.

: Saved
:
: Serial Number: JMX1347Z0BP
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 10:55:28.111 EST Sat Feb 27 2016
!
ASA Version 9.2(4)5
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool EZVPN_POOL 10.11.10.1-10.11.10.254 mask 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
 shutdown
!
interface Ethernet0/2
 switchport access vlan 2
 shutdown
!
interface Ethernet0/3
 switchport access vlan 2
 shutdown
!
interface Ethernet0/4
 switchport access vlan 2
 shutdown
!
interface Ethernet0/5
 switchport access vlan 2
 shutdown
!
interface Ethernet0/6
 switchport access vlan 2
!
interface Ethernet0/7
 switchport access vlan 2
!
interface Vlan1
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set VPN_TRAN esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map VPN_DYMAP 10 set ikev1 transform-set VPN_TRAN
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_DYMAP
crypto map VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 199.182.221.110 source outside prefer
group-policy PROXY_VPN_POLICY internal
group-policy PROXY_VPN_POLICY attributes
 dns-server value 8.8.8.8 4.2.2.2
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelall
username John password hJo47uu96ASa.6WU encrypted privilege 0
username John attributes
 vpn-group-policy PROXY_VPN_POLICY
tunnel-group PROXY_VPN_GROUP type remote-access
tunnel-group PROXY_VPN_GROUP general-attributes
 address-pool EZVPN_POOL
 default-group-policy PROXY_VPN_POLICY
tunnel-group PROXY_VPN_GROUP ipsec-attributes
 ikev1 pre-shared-key XXXXX
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:659566f9da80ecda142cec549460f555
: end

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to robert.huang

‎03-02-2016 07:02 AM

Hi Robert,

As already pointed out the config is not an issue.

We need to check why we are getting this packet as an NON-IPSEC packet.

You will need to identify the device that is sending that broadcast message
and probably disable the component that is generating the broadcast, or you
can place an access-list at some point of your network or on the inside of
the ASA denying that source and destination. (source of the broadcast and
the broadcast address)

Since  the IPSec VPN tunnels does not forward broadcast traffic you will see these syslog messages.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-01-2016 06:02 PM

Hi Robert,

I understand you are getting the following error: "CRYPTO-4-RECVD_PKT_NOT_IPSEC"

The config seems fine.

"Packet not IPsec" messages here seem to indicate we occasionally have other type of traffic (not ipsec) coming in, that the ASA expected to be

encrypted but that was not encapsulated into IPsec.

This may be due to policy routing that bypasses the VPN gateway, or a spoofed/incorrect source IP address.


In this case would be good idea set up packet captures in order to catch those packets and trace them back to their source.

Also we see that this message comes from the first IP of the pool to the 10.11.10.255 IP which is what we need to track for UDP traffic.

You can also check in the syslogs what UDP traffic is being sent for this.

Regards,

Aditya 

Please rate helpful posts.

0 Helpful
Top