(9 votes, average: 4 out of 5)
Loading ...Fri 26 Oct 2007
Cisco - ASA Error message %ASA-7-710005: TCP request discarded
Posted by Josh under Cisco , Cisco Routers -I ran into a strange issue with a Cisco ASA firewall today. The firewall was not passing traffic to the internal host although I had the static statement configured and access-lists allowing incoming traffic.
static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255
access-list acl_outside permit tcp any host 12.34.56.78 eq 25
access-group acl_outside in interface outside
With the logging level set at 5, I did not see anything in the logs. I just noticed the access-list counters were not incrementing and the connection wasn’t working. I changed the logging level to 7 and started seeing the following error message:
Oct 25 2007 16:30:16: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside: 12.34.56.78/25
The problem was that I configured the static statement with the public ip address of the outside interface instead of the ‘interface’ keyword.
Incorrect:
static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255
Correct:
static (inside,outside) tcp interface smtp 10.1.1.50 smtp netmask 255.255.255.255
November 21st, 2007 at 8:17 am
Man I was trying to get it fixed for whole day
Big thanks for the solution!!!
November 26th, 2007 at 1:39 pm
I think that only applies to the interface IP. If you have a range of IP’s available on the outside interface you’d still have to specify the IP and not “interface” for the other IP’s. I imagine this is something you might run into with a 5505 as it’s more likely that the outside interface will only be a /30 and not something larger. I haven’t run into many cases where you’d have a /30 running on something bigger than a 5505. The code’s the same though, regardless.
November 26th, 2007 at 10:35 pm
Scott,
You are correct. This only applies to the ip address of the interface. Thanks for helping clear that up.
Josh
December 6th, 2007 at 8:31 am
I ran at the same stupid problem with ASA 5505 exactly and it took me a couple of hours troubleshooting before doing the totally illogical thing of changing the PAT statement to use the interface instead of the actual address. This product is probably done by the same idiots that designed the Catalyst 500 Express switch (if you’ve ever touched you know what I’m talking about), I hope that their hands will be chopped off in order to save us from the torture of using this crap.
January 9th, 2008 at 4:51 pm
TheGrave, that is why cisco certs earn you the big bucks
May 15th, 2008 at 10:15 am
I have a similar problem with dhcp replies back to an ASA (7.2(2)) being dropped. Any ideas?
%ASA-6-302015: Built outbound UDP connection 458 for inside:141.1.255.8/67 (141.1.255.8/67) to NP Identity Ifc:141.1.255.12/68 (141.1.255.12/68)
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67