Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Prob. with connecting to ASA with TCP Client based Remote VPN access

Hi There

I get the following log message when I try to connect to my ASA 5520 running 8.0(3) with VPN Client 5.0.03.0560

%ASA-7-710005: TCP request discarded from ...

I have no problems when I connect via UDP, then everything runs smoothly, have any of You any Ideas have this occurs !!!

Many thanks in advance.

Jesper Damsgaard, Bankdata, Denmark

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Prob. with connecting to ASA with TCP Client based Remote VP

I've pool this message: sometimes these are helpful in giving clues

710005

Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

One thing I can think of:

It is possible, in your VPN client connection profile transport TAB you have Ipsec over UDP( NAT /PAT) enable transparent tunneling which is actually the default.

when you select Ipsec over TCP port 10000 in the client and asa is not setup for ipsec over tcp I believe this is the error your are getting in that message.The asa is not setup for Ipsec over TCP port 10000, to do that in asa you need:

asa(config)#crypto isakmp ipsec-over-tcp port 10000

then you can select in the vpn client profile connection Transport tab Ipsec over TCP 10000 and try connecting using this transport.

Hopefully this could be your problem

HTH

Jorge

3 REPLIES
New Member

Re: Prob. with connecting to ASA with TCP Client based Remote VP

Just a little bit more information:

sysopt connection permit-vpn

Is configured on the ASA

Jesper

Re: Prob. with connecting to ASA with TCP Client based Remote VP

I've pool this message: sometimes these are helpful in giving clues

710005

Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

One thing I can think of:

It is possible, in your VPN client connection profile transport TAB you have Ipsec over UDP( NAT /PAT) enable transparent tunneling which is actually the default.

when you select Ipsec over TCP port 10000 in the client and asa is not setup for ipsec over tcp I believe this is the error your are getting in that message.The asa is not setup for Ipsec over TCP port 10000, to do that in asa you need:

asa(config)#crypto isakmp ipsec-over-tcp port 10000

then you can select in the vpn client profile connection Transport tab Ipsec over TCP 10000 and try connecting using this transport.

Hopefully this could be your problem

HTH

Jorge

New Member

Re: Prob. with connecting to ASA with TCP Client based Remote VP

Hi Jorge

Yes, You were absolutely right, after entering the command as outlined the communication works.

I would like to thank You for Your time an effort in resolving this issue for me.

I will write to Cisco, so that they will include this information in the documentation where they discribe now this is set up:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

1350
Views
0
Helpful
3
Replies
CreatePlease to create content