Solved

ASA 5520 ASDM Syslog messages

Posted on 2013-12-17
7
595 Views
Last Modified: 2013-12-24
Hello,

I'm seeing the asdm syslog messages roll by with the following:

IP = <IP Address> Header invalid, missing SA payload! (next payload = 4)

I do have VPNs configured, one site-to-site and the other a regular one. Neither of those originate from the IP address mentioned.

I put that IP into a drop ACL at the begining on the outside interface and it still keeps on coming.

Any idea on what this is and why its happening? How do i stop it?

Thanks
0
Comment
Question by:netcmh
  • 4
  • 3
7 Comments
 
LVL 8

Expert Comment

by:TMekeel
ID: 39724479
Did you remove any VPNs?

Can you try clear crypto isakmp sa invalid ip address?

edited for I typed the command incorrectly....
0
 
LVL 20

Author Comment

by:netcmh
ID: 39724634
When I issued that command, I got this:

Can't find a valid tunnel group, aborting...

I don't have that IP anywhere in my config.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39725053
Can you try rebooting the device and see if it persists?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 20

Author Comment

by:netcmh
ID: 39725072
I could. It'll have to wait till maintenance window. Early next month.

Anything else I could try in the mean while?
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39725576
The only thing I could think of is to reset the tunnel, but we tried clearing already, and you have an ACL to block inbound on the outside interface...not sure what else to do besides reboot or call TAC and ask!


Perhaps another Expert can chime in;  I'm sorry I don't know off the top of my head.  I will try some google-fu for you though and see if I can gain some knowledge to pass on.
0
 
LVL 20

Accepted Solution

by:
netcmh earned 0 total points
ID: 39729800
Got it figured out.

Did a reverse IP lookup. Found the company. Called them.

They had a vendor with that IP earlier. Got in touch with their infrastructure team, verified that the config belonged to the old vendor (who has now changed their IP), and had it removed.

The sessions stopped.
0
 
LVL 20

Author Closing Comment

by:netcmh
ID: 39737638
This was the solution.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now