We help IT Professionals succeed at work.

VPN IPSEC LOSE CONNECTION  ( ESP REQUEST DROP)

Medium Priority
429 Views
Last Modified: 2019-07-27
Hi,
We have a VPN IP SEC between to ASA, the VPN works fine, but it loses connection a lot of times in a day, the underground network looks fine.

When we check log we find this message:
%ASA-session-7-710006: ESP request discarded from X TO Y
(you can check all the logs in the attached file)

Can you tell me what exactly this message means and how the problem can be fixed?
esp-disc.rtf
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
It is a connection failure.  

Quote from Google ASA ICMP error "ssh timeout command to increase the default value of 5 minutes "

Try making this value above (max is 60 minutes but I suggest 10 minutes to start.

Author

Commented:
my request is about this message

just to be sur you speack for this log message:

%ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
99% of the messages were teardown, build up

But for the above, the request might be discarded because of timeout

Author

Commented:
just to clarify that that the endpoint is tow ASA wicth form a VPN IPSEC , so i don't understand why  the ASAs try to have ICMP connexion  in the VPN tunnel
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You probably should work through this article

https://learningnetwork.cisco.com/thread/98248

Author

Commented:
Thanxs for the document , but the issue form is not i can't ping but the issue is the VPN IPSEC betwen 192.168.87.240 and  10.61.33.2 lose connection . and the moment when the VPN lose connection i statrd to have this message %ASA-session-7-710006: ESP request discarded
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I don't think that is an ICMP issue

issue is the VPN IPSEC betwen 192.168.87.240 and  10.61.33.2 lose connection . and the moment when the VPN lose connection i statrd to have this message

That seems different than your first message.

Turn on logging at both ends, clear the logs, connect and see what other connection messages you get.

Post those here.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
There are a dozen settings in IPsec VPN.  Any of them in error can cause a failure to connect.

You connect and then it drops.   Look to timeout messages .  There are a couple of standard time length settings in IPsec. Check all of these.

Author

Commented:
the issue that the VPN lose connection a few time in a day and it comme back , now the VPN Look fine so i think the logs didn't be helpful

but below you can see the logs exactly when VPN had lost connection

Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-vpn-5-713041: IP = 192.168.87.240, IKE Initiator: New Phase 1, Intf DMZ_VOICE_ORANGE, IKE Peer 192.168.87.240  local Proxy Address 10.174.83.0, remote Proxy Address 10.196.19.28,  Crypto map (WEBHELP_MGMT_map)
Jul 26 15:54:26 10.61.33.2 : %ASA-vpn-7-715046: IP = 192.168.87.240, constructing ISAKMP SA payload
Jul 26 15:54:26 10.61.33.2 : %ASA-vpn-7-715046: IP = 192.168.87.240, constructing Fragmentation VID + extended capabilities payload
Jul 26 15:54:26 10.61.33.2 : %ASA-vpn-7-713236: IP = 192.168.87.240, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 264
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-session-7-710006: ESP request discarded from 192.168.87.240 to WEBHELP_MGMT:10.61.33.2
Jul 26 15:54:26 10.61.33.2 : %ASA-vpn-7-713906: IKE Receiver: Packet received on 10.61.33.2:500 from 192.168.87.240:500
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Look through these settings below and see how your tunnel compares

Description
Tunnel Number 5
Interface on Router WAN 1
Enabled

Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0

Remote Gateway Type:  IP Only
(External) IP address
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0

Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
28800 Sec.
PFS OFF

Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key

Advanced
Main Mode (for site to site)
Compress OFF
Keep Alive ON Default
AH Hash (MD5) I have OFF
NetBIOS OFF
Nat Traversal ON or OFF whichever works
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Are these ASA devices on two different External IP Addresses?  I cannot see that from your post.

2 10. subnets and 1 192. subnet

Author

Commented:
i have PFS active in one side and off in other side
and i don't use NAT
NETBIOS is on
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Turn PFS OFF altogether. I have it OFF on both sides of ALL tunnels.

NAT Traversal (if set wrong) may prevent a connection so that is not it.

Author

Commented:
yes the ASAs devices are in tow external adresse

192.168 from one side and 10. FOR THE OTHER side
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Why do you have two different 10. addresses?  There should be one endpoint.  Is it getting confused?

Author

Commented:
ok i well set the PFS of in the tow side , and i will cheek if we will lose connection .

thanks for you support

Author

Commented:
one have 192.the168.87.240 adress the other have 10.61.33.2 adress
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
That part I understand, but there are two 10. addresses so that may risk some confusion when the endpoints connect. Seems that way from what I see here.

If you have two endpoints from one source, they should be entirely different tunnels, not combined

Author

Commented:
i set off the PFS , it look fine  i hope that i will not have the same issue in futur.
just i want to understand if  we have a mismatch in PFS we can end up with a VPN  witch lose connection a lot of time in a day
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
It appears PFS was the answer

Author

Commented:
so Thanks a lot
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
You should know soon if the connection is stable or drops. If stable (looks like it is), then you should close the question. Left side of your first post  "I have my answer"

Thanks, and I was happy to help you here in your first question.

Author

Commented:
Thanxs John

Author

Commented:
the Link is stable
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Thanks for the update and I was happy to assist you get this connection working properly

Author

Commented:
I Hope that ticket is closed now
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Yes it is - all wrapped up.