I had a LAN-to-LAN VPN set up to another organization. There is no longer a need for the VPN tunnel, and I have removed all traces of it from my ASA. However, the other organization still has the VPN configured, and this former VPN peer is still sending traffic to my ASA, causing the following series of messages in the log:
Apr 27 03:49:22 [192.168.53.254.2.2] %ASA-4-713903: Group = X, IP = X, Can't find a valid tunnel group, aborting...!
Apr 27 03:49:22 [192.168.53.254.2.2] %ASA-3-713902: Group = X, IP = X, Removing peer from peer table failed, no match!
Apr 27 03:49:22 [192.168.53.254.2.2] %ASA-4-713903: Group = X, IP = X, Error: Unable to remove PeerTblEntry
Apr 27 03:49:27 [192.168.53.254.2.2] %ASA-4-713903: IP = X, Header in
valid, missing SA payload! (next payload = 4)
I would like to eliminate these messages from my ASA's log, as I have no control over when, if ever, the remote entitiy will stop sending this traffic to my ASA.
I have tried several blocking access-list rules to try and block this traffic, but the rules are never matched (hit count is always 0). Below are examples of the rules I have tried:
access-list OUTSIDE_IN line 1 extended deny udp X eq isakmp any (hitcnt=0)
access-list OUTSIDE_IN line 2 extended deny ip host X host 'myASA IP' (hitcnt=0)
access-list OUTSIDE_IN line 6 extended deny ip host X any (hitcnt=0)
I suspect that this ISAKMP traffic is bypassing the access list so that the packet can attempt to be decrypted before an access-list is applied.
Is there any way to block this ISAKMP traffic from the former VPN peer without affecting any other ISAKMP traffic?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...