Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unable to telnet to ASA. "IPSEC: Received a non-IPsec..."

 

Hi,

   Recently after making changes (not sure what) to the ASA5515 at one of our branch offices I am no longer able to telnet to it. I can SSH to it can access it through ASDM but not telnet.. The logs gives me this error when I try to telnet to it from our HQ.

 


%ASA-4-402117: IPSEC: Received a non-IPsec (protocol) packet from 
remote_IP to local_IP.
  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, To my understanding if

Hi,

 

To my understanding if you are coming from behind the external interface of the ASA and using Telnet then the ASA will block the Telnet connection attempts UNLESS the Telnet connection is coming through a secured VPN connection to the ASA. I guess the "security-level" change would fool the ASA to allow you to use Telnet but I am not really sure if there is any point to it since you should really use a secure management connection and not Telnet.

 

You could always use the "management-access" command with some internal interface and then use VPN to connect to that interface.

 

But if you have for some reason used Telnet to access the ASA without any VPN then I would suggest either only using SSH or using Telnet through a VPN connection formed to the ASA.

 

- Jouni

5 REPLIES
Cisco Employee

HelloIt had to be the

Hello

It had to be the security level.

It wont let you login to that interface if the security level is not 100, you may need to change it back to 100 or keep managing the ASA in that way. 

Mike.

 

Mike
Super Bronze

Hi, To my understanding if

Hi,

 

To my understanding if you are coming from behind the external interface of the ASA and using Telnet then the ASA will block the Telnet connection attempts UNLESS the Telnet connection is coming through a secured VPN connection to the ASA. I guess the "security-level" change would fool the ASA to allow you to use Telnet but I am not really sure if there is any point to it since you should really use a secure management connection and not Telnet.

 

You could always use the "management-access" command with some internal interface and then use VPN to connect to that interface.

 

But if you have for some reason used Telnet to access the ASA without any VPN then I would suggest either only using SSH or using Telnet through a VPN connection formed to the ASA.

 

- Jouni

New Member

Sorry for the late reply.  I

Sorry for the late reply.

 

 I know I shouldn't use telnet but I am trying to know why it isn't working now. I was able to telnet to it before. Also I am telnetting it to a private address (Comcast provides ENS (layer 2) between our offices. This kind of makes it a VPN connection).

 HQ Router <-ENS-- >Branch office Router > Firewall.

 

 The outside security is 0 on the ASA. Please let me know if you need any more specifics.

 

VIP Green

As Jouni and Mike have

As Jouni and Mike have mentioned, you can not telnet to a port that is configured with security-level 0.  This is a security restriction as telenet sends traffic in plain text.  Telnet should not be used, but if you have to use it for whatever reason, telnet traffic should only be crossing a "secure" network such as your local LAN where packet sniffing will most likely not happen (though this is still not a good reason to use telnet).

Your options for managing the firewall, again as Jouni has mentioned, is to either set up a RA VPN to the firewall, configure the management-access <interface> command and use SSH or telnet over the VPN (this is recommended when using SSH also).  Or, connect to the outside interface using SSH.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

 Thanks guys. It was the

 

Thanks guys. It was the security level. ;)

 

552
Views
7
Helpful
5
Replies