Comments on: Cisco – ASA Error message %ASA-7-710005: TCP request discarded

By: Julie

Julie — Tue, 03 Nov 2009 02:30:29 +0000

Hi Josh,

I just wanted to say thanks for this post. It has saved me from tearing my hair out. I also want to let everyone know, I ran into this problem with a PIX 515 running 8.0 and 7.2(4). So just keep in mind, this is not just an ASA issue.

Thanks again!

By: greg

greg — Thu, 13 Aug 2009 17:09:18 +0000

I have the same problem. After I configured my new ASA 5505 with multiple PAT address I was not able to see any traffic passing the appliance in and out. I was able to ping both the inside and outside interface including through my security router to my border router and was not able to show any traffic counts with my access list. Why wasn’t there any warning from cisco about this? The only sure thing I got from there tutorial was, as long as you have configured a default route in your appliance i.e. route outside 0.0.0.0 0.0.0.0 “gateway” 1 , you should be able to pass all your traffic in and out the appliance,but this was not the case. Is there any one out there has any solution for multiple PAT thorugh the ASA?

By: Anton

Anton — Sun, 25 Jan 2009 20:40:15 +0000

Thanks, Josh!

By: Ryan

Ryan — Thu, 15 May 2008 16:15:01 +0000

I have a similar problem with dhcp replies back to an ASA (7.2(2)) being dropped. Any ideas?

%ASA-6-302015: Built outbound UDP connection 458 for inside:141.1.255.8/67 (141.1.255.8/67) to NP Identity Ifc:141.1.255.12/68 (141.1.255.12/68)
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67

By: bky

bky — Wed, 09 Jan 2008 22:51:02 +0000

TheGrave, that is why cisco certs earn you the big bucks

By: TheGrave

TheGrave — Thu, 06 Dec 2007 14:31:29 +0000

I ran at the same stupid problem with ASA 5505 exactly and it took me a couple of hours troubleshooting before doing the totally illogical thing of changing the PAT statement to use the interface instead of the actual address. This product is probably done by the same idiots that designed the Catalyst 500 Express switch (if you’ve ever touched you know what I’m talking about), I hope that their hands will be chopped off in order to save us from the torture of using this crap.

By: admin

admin — Tue, 27 Nov 2007 04:35:13 +0000

Scott,

You are correct. This only applies to the ip address of the interface. Thanks for helping clear that up.

Josh

By: Scott

Scott — Mon, 26 Nov 2007 19:39:55 +0000

I think that only applies to the interface IP. If you have a range of IP’s available on the outside interface you’d still have to specify the IP and not “interface” for the other IP’s. I imagine this is something you might run into with a 5505 as it’s more likely that the outside interface will only be a /30 and not something larger. I haven’t run into many cases where you’d have a /30 running on something bigger than a 5505. The code’s the same though, regardless.

By: Weis

Weis — Wed, 21 Nov 2007 14:17:11 +0000

Man I was trying to get it fixed for whole day Big thanks for the solution!!!