Hello,
Have you ever seen errors driving people mad?  I met one the other day… The error message from Cisco ASA 5508-X firewall was: “%ASA-7-710006: ESP request discarded from X.X.X.X to
interface outside:Y.Y.Y.Y“, it occurred after core switch and ASA were accidentally rebooted. There were four Site to Site VPN tunnels set up and they worked fine prior reboot, however after reboot only 3 were up and one was not establishing with the only indication in log with described error.  Interestingly enough after a while VPN went up, but it was uni-directional, like if ACL for interesting traffic was matching only on the remote to ASA end and not from ASA end. I tried search Google for the error and really did not find anything in particular helping to resolve it.
Official documentation says about this error code:
%ASA-7-710006: protocol request discarded from source_address to interface_name:dest_address
 
Explanation: This message appears when the adaptive security appliance does not have an IP server
that services the IP protocol request; for example, the adaptive security appliance receives IP packets
that are not TCP or UDP, and the adaptive security appliance cannot service the request.
 
Recommended Action: In networks that use broadcasting services such as DHCP, RIP or NetBIOS
extensively, the frequency of this message can be high. If this message appears in excessive
numbers, it may indicate an attack.

 

However after reading explanation section I was puzzled even more(what did they mean actually? 😉 ), there were no difference in set up between all four VPN tunnels, however only three were operating with the fourth failing. Also it was not DDoS as I saw that message only for IPsec peer and only when it tried to establish IPsec connection. Bug search on Cisco website for specific keywords did not reveal anything useful. Just in case I updated ASA image to the latest in 9.6 train and rebooted it hoping that issue would gone ‘automagically’ ;). Nope, it was persisting.
Next step was to start thinking more thoroughly.. So if explanation says – IP server that services IP protocol request cannot service the request, then ASA for some reason does not accept that ESP request from specific peer,  peer has no change in its configuration, then issue is on the ASA side. Cool.. But I already knew that ;). Next step, apart of triple checking of VPN configuration(in fact deleting and recreating from scratch without any success), was kinda random – what if ASA drops ESP packet because destination subnet for that packet is not reachable. I say random, because that thought got in my brain absolutely from nowhere, that tunnel was set up very recently for a test environment connected to ASA via VLAN interface(within inside trunk connection), so I tried to ping test VM with no success. I then checked ARP records seen on that VLAN and haven’t found any! That was getting interesting, ‘show interface’ output was fine showing that VLAN interface was up and protocol was up too, only input counters were all zeros…
Fast Forward – ASA stopped accepting ESP for that specific peer because VLAN used to terminate VPN traffic was wiped out from the core switch after it was rebooted (config was not saved), thus there were no active VLAN in trunk connection to ASA and it caused ASA to drop ESP packets for that specific site to site VPN tunnel. After VLAN was recreated on the switch, IPsec tunnel was momentarily established without any issues.
Hope it may help to someone in troubleshooting of similar issue.
P.S. This time do not add any console outputs as writing it from memory.