- Cisco Community
- Technology and Support
- Security
- VPN
- Site-to-site VPN cisco ASA %ASA-7-710005: UDP request discarded
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Site-to-site VPN cisco ASA %ASA-7-710005: UDP request discarded
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2024 03:53 AM
Good afternoon.
Please help me solve the problem with my VPN.
After establishing a connection, I constantly receive a message
%ASA-7-710005: UDP request discarded from Y.Y.Y.Y/4503 to WLAN:X.X.X.X/4500
Y.Y.Y.Y - remote-public-ip, X.X.X.X - my-public-ip
In this case, the message shows that the first and second phases have been established, but no useful traffic is flowing.
As soon as I enter the command no crypto isakmp nat-traversal , useful traffic begins to flow, but this message still does not go away.
What could be the problem? Tell me please.
The configuration of my ASA
ciscoasa(config)# sh run
: Saved
:
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2194 MHz
:
ASA Version 9.7(1)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif WLAN
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 10
ip address 10.122.122.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.90
vlan 90
nameif insideVlan90
security-level 100
ip address 10.122.1.1 255.255.255.0
!
interface GigabitEthernet0/3.705
vlan 705
nameif Lo705
security-level 100
ip address 10.130.1.89 255.255.255.248
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name brigada.taif.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network zabbix
host 192.168.0.100
object network taif_ilshad
host 10.99.36.176
object network danis
host 10.99.32.247
object network 10.50.70.0
subnet 10.50.70.0 255.255.255.0
object network NETWORK_OBJ_10.122.1.0_24
subnet 10.122.1.0 255.255.255.0
object network taif_elmira
host 10.99.36.93
object network 10.99.32.0
subnet 10.99.32.0 255.255.255.0
object network 10.99.36.0
subnet 10.99.36.0 255.255.255.0
object network 10.122.1.0_24
subnet 10.122.1.0 255.255.255.0
object network 10.130.1.88_29
subnet 10.130.1.88 255.255.255.248
object network 10.130.1.80_29
subnet 10.130.1.80 255.255.255.248
object service 3389
service tcp destination eq 3389
object network 192.168.2.0
subnet 192.168.2.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network TAIF_Remoute
network-object object 10.50.70.0
network-object object danis
network-object object taif_ilshad
network-object object zabbix
network-object object taif_elmira
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object object 10.50.70.0
network-object object 10.99.32.0
network-object object 10.99.36.0
network-object object 192.168.2.0
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
network-object object 10.50.70.0
network-object object 10.99.32.0
network-object object 10.99.36.0
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_1
network-object object 10.50.70.0
network-object object 10.99.32.0
network-object object 10.99.36.0
network-object object 192.168.2.0
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group TAIF_Remoute 10.122.1.0 255.255.255.0
access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.122.1.0 255.255.255.0 any4
access-list WLAN_access_in extended permit ip any any
access-list WLAN_access_in extended permit object-group DM_INLINE_PROTOCOL_5 10.122.1.0 255.255.255.0 any
access-list WLAN_cryptomap extended permit ip 10.122.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list DMZ_access_in extended deny ip 10.122.122.0 255.255.255.0 object-group TAIF_Remoute
access-list DMZ_access_in extended deny ip 10.122.122.0 255.255.255.0 10.122.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip 10.122.122.0 255.255.255.0 any
access-list WLAN_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_9 object 10.130.1.88_29 object 10.130.1.80_29
access-list insideVlan90_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object NETWORK_OBJ_10.122.1.0_24 object-group DM_INLINE_NETWORK_2
access-list insideVlan90_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.122.1.0 255.255.255.0 any
access-list Lo705_access_in extended permit ip 10.130.1.88 255.255.255.248 10.130.1.80 255.255.255.248
access-list Lo705_access_in extended permit object-group DM_INLINE_PROTOCOL_8 object 10.130.1.88_29 object 10.130.1.80_29
access-list Lo705_access_in extended permit ip object NETWORK_OBJ_10.122.1.0_24 object-group DM_INLINE_NETWORK_1
access-list Lo705_access_in extended permit object-group DM_INLINE_PROTOCOL_6 10.130.1.88 255.255.255.248 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging asdm-buffer-size 512
logging monitor warnings
logging buffered debugging
logging trap debugging
logging asdm warnings
logging debug-trace persistent
logging flash-bufferwrap
logging flash-minimum-free 3076000
logging flash-maximum-allocation 1024000
logging permit-hostdown
logging class webvpn monitor debugging
mtu WLAN 1500
mtu DMZ 1500
mtu insideVlan90 1500
mtu Lo705 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (DMZ,WLAN) source dynamic any interface
nat (insideVlan90,WLAN) source dynamic any interface
nat (Lo705,WLAN) source static 10.130.1.88_29 10.130.1.88_29 destination static 10.130.1.80_29 10.130.1.80_29 route-lookup
access-group WLAN_access_in in interface WLAN
access-group DMZ_access_in in interface DMZ
access-group insideVlan90_access_in in interface insideVlan90
access-group Lo705_access_in in interface Lo705
route insideVlan90 10.50.70.0 255.255.255.0 10.122.1.2 1
route insideVlan90 10.99.32.0 255.255.255.0 10.122.1.2 1
route insideVlan90 10.99.36.0 255.255.255.0 10.122.1.2 1
route Lo705 10.140.1.40 255.255.255.248 10.130.1.90 1
route insideVlan90 192.168.2.0 255.255.255.0 10.122.1.2 1
route WLAN 217.173.24.220 255.255.255.255 83.151.4.41 1
route WLAN Y.Y.Y.Y 255.255.255.255 83.151.4.41 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 10.122.1.0 255.255.255.0 insideVlan90
http Y.Y.Y.Y 255.255.255.255 WLAN
http 10.99.32.0 255.255.255.0 insideVlan90
http 10.99.36.0 255.255.255.0 insideVlan90
no snmp-server location
no snmp-server contact
sysopt noproxyarp insideVlan90
sysopt noproxyarp Lo705
crypto ipsec ikev1 transform-set 3DES esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map WLAN_map 2 match address WLAN_cryptomap_1
crypto map WLAN_map 2 set peer Y.Y.Y.Y
crypto map WLAN_map 2 set ikev1 transform-set ESP-AES-256-SHA
crypto map WLAN_map 2 set ikev2 pre-shared-key *****
crypto map WLAN_map 2 set security-association lifetime seconds 3600
crypto map WLAN_map 2 set reverse-route
crypto map WLAN_map interface WLAN
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
---------
183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
crypto isakmp nat-traversal 3600
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WLAN
crypto ikev1 enable WLAN
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh Y.Y.Y.Y 255.255.255.255 WLAN
ssh 10.122.1.0 255.255.255.0 insideVlan90
ssh 10.99.36.0 255.255.255.0 insideVlan90
ssh 10.99.32.0 255.255.255.0 insideVlan90
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group MTS request dialout pppoe
vpdn group MTS localname 31008676368/2
vpdn group MTS ppp authentication pap
dhcpd address 10.122.1.10-10.122.1.100 insideVlan90
dhcpd dns 10.50.70.2 213.87.2.89 interface insideVlan90
dhcpd domain uktaif.ru interface insideVlan90
dhcpd update dns both override interface insideVlan90
dhcpd option 6 ip 10.50.70.2 213.87.2.88 interface insideVlan90
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_Y.Y.Y.Y internal
group-policy GroupPolicy_Y.Y.Y.Y attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin attributes
password-storage disable
username taifadm attributes
password-storage disable
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y general-attributes
default-group-policy GroupPolicy_Y.Y.Y.Y
tunnel-group Y.Y.Y.Y ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2024 04:32 AM
It not your side issue' the peer is behind NAT device and not using static NAT 1:1 nor PAT port forwarding' this make your side receive udp port not 4500 and make ipsec failed
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2024 04:44 AM
Thanks for the answer. Please tell me, is this a problem on the remote side?
The fact is that there is no way to reconfigure the remote side, can I somehow make settings on my side so that the UDP is passed through and not blocked?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2024 04:58 AM
Thanks for the answer. Please tell me, is this a problem on the remote side? YES
The fact is that there is no way to reconfigure the remote side, can I somehow make settings on my side so that the UDP is passed through and not blocked? Sorry there is no other way I know
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2024 03:05 AM
Thanks for the answer. We will think about what to do.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide