Remote VPN access

Unanswered Question
May 1st, 2007


i have a asa5520 with version 7.2(2)18

I am trying to set up a VPN connection with a DMZ interface on the asa , but i get the messages %PIX-7-710005.When i configure the asa to use the "outside" interface as the tunnel termination interface then it works.

Any syggestions , Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
oabduo983 Wed, 05/02/2007 - 05:50

Are you terminating your connection on the DMZ interface? are you trying to reach the inside network? Can you post your configuration to see what's happening?


robschellrh Wed, 05/02/2007 - 07:29

Hi Osama Abduo,

When i configure "crypto map IO-MAP interface" and "crypto isakmp enable" to "asa03-01-outside" interface it works.

But when i enable isakmp on the "asa03-01-vpn" interface i cannot connect and get the

%ASA-7-710005 message.


oabduo983 Wed, 05/02/2007 - 10:23

Hi Rob

I was going through your configuration, and I was doubting some routing issues, but I found the reverse-route option being enabled, Have you tried pointing a default gateway on the asa03-01-vpn interface? I was looking more into the error message which you got on Cisco site and I got the following explanation:



Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

Recommended Action In networks that heavily utilize broadcasting services such as DHCP, RIP or NetBios, the frequency of this message can be high. If this message appears in excessive number, it may indicate an attack.


Based on this, and the fact that you are using 1 physical interface (with sub-interfaces below it) could you please try and use ipsec over tcp using the following command?

isakmp ipsec-over-tcp port 10000

Don't forget to enable this on the client under the transport tab...

Have you thought of utilizing your other two physical interfaces instead of pushing them with the interface Gi0/0

I hope this helps... Plz rate if it does!

robschellrh Wed, 05/02/2007 - 23:49

Hi Osama,

i tried your options,

insert ipsec-over-tcp port 10000 and moved the

logical interface 0/0.23 to a physical interface gi0/1 but still get the error message 71005.


This Discussion