Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2478
Views
0
Helpful
3
Replies

Prob. with connecting to ASA with TCP Client based Remote VPN access

Go to solution
j.damsgaard
Level 1
Level 1

‎10-15-2008 01:52 PM - edited ‎03-11-2019 06:57 AM

Hi There

I get the following log message when I try to connect to my ASA 5520 running 8.0(3) with VPN Client 5.0.03.0560

%ASA-7-710005: TCP request discarded from ...

I have no problems when I connect via UDP, then everything runs smoothly, have any of You any Ideas have this occurs !!!

Many thanks in advance.

Jesper Damsgaard, Bankdata, Denmark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to j.damsgaard

‎10-15-2008 02:41 PM

I've pool this message: sometimes these are helpful in giving clues

710005

Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

One thing I can think of:

It is possible, in your VPN client connection profile transport TAB you have Ipsec over UDP( NAT /PAT) enable transparent tunneling which is actually the default.

when you select Ipsec over TCP port 10000 in the client and asa is not setup for ipsec over tcp I believe this is the error your are getting in that message.The asa is not setup for Ipsec over TCP port 10000, to do that in asa you need:

asa(config)#crypto isakmp ipsec-over-tcp port 10000

then you can select in the vpn client profile connection Transport tab Ipsec over TCP 10000 and try connecting using this transport.

Hopefully this could be your problem

HTH

Jorge

Jorge Rodriguez

View solution in original post

0 Helpful
3 Replies 3

Go to solution
j.damsgaard
Level 1
Level 1

‎10-15-2008 02:30 PM

Just a little bit more information:

sysopt connection permit-vpn

Is configured on the ASA

Jesper

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to j.damsgaard

‎10-15-2008 02:41 PM

I've pool this message: sometimes these are helpful in giving clues

710005

Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

One thing I can think of:

It is possible, in your VPN client connection profile transport TAB you have Ipsec over UDP( NAT /PAT) enable transparent tunneling which is actually the default.

when you select Ipsec over TCP port 10000 in the client and asa is not setup for ipsec over tcp I believe this is the error your are getting in that message.The asa is not setup for Ipsec over TCP port 10000, to do that in asa you need:

asa(config)#crypto isakmp ipsec-over-tcp port 10000

then you can select in the vpn client profile connection Transport tab Ipsec over TCP 10000 and try connecting using this transport.

Hopefully this could be your problem

HTH

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
j.damsgaard
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎10-20-2008 03:01 AM

Hi Jorge

Yes, You were absolutely right, after entering the command as outlined the communication works.

I would like to thank You for Your time an effort in resolving this issue for me.

I will write to Cisco, so that they will include this information in the documentation where they discribe now this is set up:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card