topic Re: No matching connection for ICMP error in Network Security

No matching connection for ICMP error

parisvcisco — Wed, 13 Mar 2019 01:07:07 GMT

I'm seeing this on our cisco pix 515e firewall log quite often:

Sep 1 13:42:52 192.168.120.248 %PIX-4-313005: No matching connection for ICMP error message: icmp src guest:192.168.0.10 dst outside:8.8.8.8 (type 3, code 3) on guest interface. Original IP payload: udp src 8.8.8.8/53 dst 192.168.0.10/52456.

on the firewall we have this set: ip address 192.168.0.248 255.255.255.0

access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any echo
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any echo-reply
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp

mtu guest 1500

on a layer 3 switch we have this set:

ip dhcp pool guest_wifi_pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.248
dns-server 8.8.8.8 8.8.4.4

interface Vlan2
ip address 192.168.0.1 255.255.255.0

then we have unifi access points in this switch. so far the source ips in the error message seem to be iphones!

Hi parisvcisco It looks like

rvarelac — Mon, 01 Sep 2014 20:46:13 GMT

Hi parisvcisco

It looks like the device who have assigned the IP 192.168.0.10 is trying to use the DNS server (53) of the IP 8.8.8.8 and the ASA captures the destination is unreachable (Type 3 ) and the port requested is unreachable (code 3).

It might be an application on the device or that the ASA could be dropping the request for security reasons.

I would suggest you to place a capture on the inside and verify this a DNS request and see which application might be causing this behavior.

Hope this helps !

- Randy -

Yes on the switch I have set

parisvcisco — Tue, 02 Sep 2014 03:39:43 GMT

Yes on the switch I have set the DNS server to be 8.8.8.8 and 8.8.4.4 for that vlan. Do I need to do something on the firewall to allow this?

Hi , And the DNS service

rvarelac — Tue, 02 Sep 2014 16:10:17 GMT

Hi ,

And the DNS service works fine ?

It looks like the ASA is not able to reach the DNS sometimes , can you check if the ASA is dropping the service.

I suggest you to place an ASP capture,

Example :

Capture drop interface inside type asp-drop all

Wait a couple of seconds or start manually the DNS service (request)

And check the capture : Show capture drop | incl 53

Also check on the service policy if the DNS has the inspection enable.

Hope this help

Please rate helpful post !

- Randy -

I don't have type available..

parisvcisco — Wed, 03 Sep 2014 07:56:29 GMT

I don't have type available......

# capture drop interface inside ?

access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is
non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP
headers-only Capture only L2, L3 and L4 headers of packet without data in
them
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default
is 68 bytes
real-time Display captured packets in real-time. Warning: using this
option with a slow console connection may result in an
excessive amount of non-displayed packets due to performance
limitations.
trace Trace the captured packets

fyi this is a cisco pix 515e so pretty old!

I was able to run this

parisvcisco — Wed, 03 Sep 2014 08:30:53 GMT

I was able to run this:

capture asp type asp-drop all

# show capture asp | inc 8.8.8.8
327: 09:00:10.672618 802.1Q vlan#2 P0 192.168.0.25 > 8.8.8.8: icmp: 192.168.0.25 udp port 52444 unreachable

We have icmp permit any outside but would icmp permit any guest work/help?

Hi,Any reason why your IP

nkarthikeyan — Wed, 03 Sep 2014 12:03:00 GMT

Hi,

Any reason why your IP phone initiates the traffic for 8.8.8.8 ? can you check on the settings of ip phone and make sure it is as per your requirement....

Type 3 – Destination Unreachable

Code 3 - Destination port unreachable

for dns to work..... you need to allow domain in access-list.

access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.8.8 eq domain

access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.4.4 eq domain

also you need to allow the echo-reply for this on inbound acl (outside) interface.

any to 192.168.0.0 - echo-reply

not ip phones just iphones!so

parisvcisco — Wed, 03 Sep 2014 12:07:59 GMT

not ip phones just iphones!

so vlan 2 is for the guest wifi and I want them to use Google's dns servers for DNS.

so on the switch that's doing the routing I have set:

ip dhcp pool guest_wifi_pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.248
dns-server 8.8.8.8 8.8.4.4

Do I still need to do the steps have you have posted?

Hi, Yes.... on your guest

nkarthikeyan — Wed, 03 Sep 2014 12:25:08 GMT

Hi,

Yes.... on your guest connected interface you need to allow dns (domain) udp - 53 from guest lan to 8.8.8.8 / 8.8.4.4.

And if you want to allow icmp access to those dns servers for checking or testing then you need to allow echo on guest connected interface acl and echo-reply on outside interface acl...

Regards

Karthik

at the moment i have access

parisvcisco — Wed, 03 Sep 2014 12:49:18 GMT

at the moment i have

access-group guest-out in interface guest

do i need to do

access-group guest-in in interface guest

then

access-group guest-in any to 192.168.0.0 - echo-reply

nope.... Please send me your

nkarthikeyan — Wed, 03 Sep 2014 13:09:26 GMT

nope....

Please send me your configuration file.... hide out the sensitive information and send me to this post or to the private message... i will suggest you on that..

Regards

Karthik

Re: No matching connection for ICMP error

Kevin_W — Mon, 09 Mar 2020 09:51:03 GMT

We had the same problem and log messages.
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful.

Just in case, some other have the same problem, this might be an alternative solution.