Comments on: Cisco – ASA Error message %ASA-7-710005: TCP request discarded http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/ Tips and Video Tutorials - Cisco .:. Linux .:. VOIP Tue, 29 Nov 2011 04:01:10 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Chris http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-37805 Chris Fri, 11 Feb 2011 22:06:11 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-37805 Thanks for the post! Helped us out! Thanks for the post! Helped us out!

]]> By: Bennie Rayno http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-37785 Bennie Rayno Thu, 10 Feb 2011 03:50:41 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-37785 Thanks for sharing superb informations. Your web site is so cool. I am impressed by the details that you have on this site. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles. You, my pal, ROCK! I found simply the info I already searched everywhere and just could not come across. Thanks for sharing superb informations. Your web site is so cool. I am impressed by the details that you have on this site. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles. You, my pal, ROCK! I found simply the info I already searched everywhere and just could not come across.

]]> By: Izoj http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-37619 Izoj Tue, 25 Jan 2011 11:01:54 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-37619 Tell me about it!!! I have been trying to deploy this "smart" ASA 5505 on a part time basis - 3 weeks. Its not working well yet. My set up is as follows: ISP CiscoRTR(1700 or 800)ASA5505LAN Internal clients can now browse and send mail; but incoming mails are blocked. After capture of SMTP, I found that mss is larger than 512bytes DNSSec message-length. Tried to change and this is what the ASDM 5.x is doing: policy-map type inspect dns preset_dns_map parameters message-length maximum 512 message-length maximum client auto Incoming mails are still blocked, I understand the device is still using 512 in preference to client auto. Anyone with a hint to find a work around. Rgds Tell me about it!!!
I have been trying to deploy this “smart” ASA 5505 on a part time basis – 3 weeks. Its not working well yet.

My set up is as follows:
ISP CiscoRTR(1700 or 800)ASA5505LAN

Internal clients can now browse and send mail; but incoming mails are blocked.

After capture of SMTP, I found that mss is larger than 512bytes DNSSec message-length.

Tried to change and this is what the ASDM 5.x is doing:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto

Incoming mails are still blocked, I understand the device is still using 512 in preference to client auto.

Anyone with a hint to find a work around.

Rgds

]]> By: Josh http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-35038 Josh Wed, 01 Dec 2010 19:15:44 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-35038 DOFF! We were just talking about you yesterday (Spirk's going away lunch). Good to see you on the site. Thanks for all the helpful tips. DOFF! We were just talking about you yesterday (Spirk’s going away lunch).

Good to see you on the site. Thanks for all the helpful tips.

]]> By: Doff http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-35024 Doff Fri, 26 Nov 2010 18:54:15 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-35024 Crazy that I ran into BlindHog after all these years! Also, keep an eye out for any DNS issues related to DNSsec and EDNSO. If the FW (specifically a pix or ASA) is configured, by default, for DNS packet inspection, which is set at 512b any DNS packets larger than the default configured size will be dropped. DNSSec will always be larger than 512b. Starting in 8.2.2 of Cisco ASA software ver, it is possible to configure the setting as auto in the DNS Inspection size. ASA configuration: policy-map type inspect dns preset_dns_map parameters message-length maximum maximum client auto On the ASA, you can issue the 'sh asp drop frame' to view the stats of any DNS related drops. internetfw# sh asp drop frame DNS Inspect invalid packet (inspect-dns-invalid-pak) 603 DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 17513 DNS Inspect packet too long (inspect-dns-pak-too-long) 2101 DNS Inspect id not matched (inspect-dns-id-not-matched) 57638 Comcast has a link to a testing site to see if your firewall handles the DNSsec properly. http://www.dnssec-failed.org/ http://www.dnssec.comcast.net/ Crazy that I ran into BlindHog after all these years!

Also, keep an eye out for any DNS issues related to DNSsec and EDNSO. If the FW (specifically a pix or ASA) is configured, by default, for DNS packet inspection, which is set at 512b any DNS packets larger than the default configured size will be dropped. DNSSec will always be larger than 512b. Starting in 8.2.2 of Cisco ASA software ver, it is possible to configure the setting as auto in the DNS Inspection size.

ASA configuration:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum maximum client auto

On the ASA, you can issue the ‘sh asp drop frame’ to view the stats of any DNS related drops.
internetfw# sh asp drop frame
DNS Inspect invalid packet (inspect-dns-invalid-pak) 603
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 17513
DNS Inspect packet too long (inspect-dns-pak-too-long) 2101
DNS Inspect id not matched (inspect-dns-id-not-matched) 57638

Comcast has a link to a testing site to see if your firewall handles the DNSsec properly.
http://www.dnssec-failed.org/

http://www.dnssec.comcast.net/

]]> By: Julie http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-32807 Julie Tue, 03 Nov 2009 02:30:29 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-32807 Hi Josh, I just wanted to say thanks for this post. It has saved me from tearing my hair out. I also want to let everyone know, I ran into this problem with a PIX 515 running 8.0 and 7.2(4). So just keep in mind, this is not just an ASA issue. Thanks again! Hi Josh,

I just wanted to say thanks for this post. It has saved me from tearing my hair out. I also want to let everyone know, I ran into this problem with a PIX 515 running 8.0 and 7.2(4). So just keep in mind, this is not just an ASA issue.

Thanks again!

]]> By: greg http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-32559 greg Thu, 13 Aug 2009 17:09:18 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-32559 I have the same problem. After I configured my new ASA 5505 with multiple PAT address I was not able to see any traffic passing the appliance in and out. I was able to ping both the inside and outside interface including through my security router to my border router and was not able to show any traffic counts with my access list. Why wasn't there any warning from cisco about this? The only sure thing I got from there tutorial was, as long as you have configured a default route in your appliance i.e. route outside 0.0.0.0 0.0.0.0 "gateway" 1 , you should be able to pass all your traffic in and out the appliance,but this was not the case. Is there any one out there has any solution for multiple PAT thorugh the ASA? I have the same problem. After I configured my new ASA 5505 with multiple PAT address I was not able to see any traffic passing the appliance in and out. I was able to ping both the inside and outside interface including through my security router to my border router and was not able to show any traffic counts with my access list. Why wasn’t there any warning from cisco about this? The only sure thing I got from there tutorial was, as long as you have configured a default route in your appliance i.e. route outside 0.0.0.0 0.0.0.0 “gateway” 1 , you should be able to pass all your traffic in and out the appliance,but this was not the case. Is there any one out there has any solution for multiple PAT thorugh the ASA?

]]> By: Anton http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-24008 Anton Sun, 25 Jan 2009 20:40:15 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-24008 Thanks, Josh! Thanks, Josh!

]]> By: Ryan http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-11264 Ryan Thu, 15 May 2008 16:15:01 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-11264 I have a similar problem with dhcp replies back to an ASA (7.2(2)) being dropped. Any ideas? %ASA-6-302015: Built outbound UDP connection 458 for inside:141.1.255.8/67 (141.1.255.8/67) to NP Identity Ifc:141.1.255.12/68 (141.1.255.12/68) %ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67 %ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67 I have a similar problem with dhcp replies back to an ASA (7.2(2)) being dropped. Any ideas?

%ASA-6-302015: Built outbound UDP connection 458 for inside:141.1.255.8/67 (141.1.255.8/67) to NP Identity Ifc:141.1.255.12/68 (141.1.255.12/68)
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 141.1.255.8/67 to inside:255.255.255.255/67

]]> By: bky http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/comment-page-1/#comment-7451 bky Wed, 09 Jan 2008 22:51:02 +0000 http://www.blindhog.net/cisco-asa-error-message-asa-7-710005-tcp-request-discarded/#comment-7451 TheGrave, that is why cisco certs earn you the big bucks ;) TheGrave, that is why cisco certs earn you the big bucks ;)

]]>