topic Re: %ASA-4: No matching connection for ICMP error message: in Network Security

%ASA-4: No matching connection for ICMP error message:

CiscoBrownBelt — Tue, 12 Mar 2019 11:22:12 GMT

So while looking at the logging monitor in the ASDM, I see the following below when just accessing webpages from my PC.

Can anyone help explain what this all means as I am not pinging anything.

Feb 19 2019

21:24:58

313005

No matching connection for ICMP error message: icmp src inside: X.X.X.98 dst outside: X.X.X.11 (type 3, code 3) on inside interface. Original IP payload: udp src X.X.X.11/53 dst X.X.X.98/52906.

Syslog Details:

%ASA-4-313005: No matching connection for ICMP error message:
icmp_msg_info on interface_name interface. Original IP payload:
embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address [([idfw_user | FQDN_string], sg_info)] dst dest_interface_name:dest_address [([idfw_user | FQDN_string], sg_info)] (type icmp_type, code icmp_code)
embedded_frame_info = prot src source_address/source_port [([idfw_user |
FQDN_string], sg_info)] dst dest_address/dest_port [(idfw_user|FQDN_string),
sg_info]
ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA.

Re: %ASA-4: No matching connection for ICMP error message:

Mohammed al Baqari — Wed, 20 Feb 2019 04:06:57 GMT

ICMP type 3 is destination unreachable. As the name implies, ASA received
ICMP unreachable message and dropped it because there is no ICMP active
connection for same source destination.

Typically this is because you initiated a connected to an IP address xyz
and when the packet passed ASA and arrived at your upstream router, the
router can't route this packet because there is no route entry in its
table. The router will respond with destination unreachable message to you.
Now ASA will drop this packet because you don't have active connection for
ICMP and you don't have an ACL to allow ICMP unreachable.

Hope its clear now. To fix this issue look at your upstream router (or l3
switch) and see why it can't route packets. Also, if you don't have
security concerns allow ICMP unreachable messages through an ACL.

Re: %ASA-4: No matching connection for ICMP error message:

CiscoBrownBelt — Wed, 20 Feb 2019 14:13:47 GMT

Ok thanks!

When you say router can't route the packets I am a bit confused. Wouldn't it route to the internet webpage via default 0.0.0.0 route or are you describing a different kind or route process that happens?

Re: %ASA-4: No matching connection for ICMP error message:

Mohammed al Baqari — Wed, 20 Feb 2019 16:09:35 GMT

Ideally you are right but this isn't happening which you need to look at

Re: %ASA-4: No matching connection for ICMP error message:

CiscoBrownBelt — Thu, 21 Feb 2019 23:25:12 GMT

Awesome thanks!
Perhaps some misconfiguration or something. I will look.

Re: %ASA-4: No matching connection for ICMP error message:

Kevin_W — Mon, 09 Mar 2020 09:50:34 GMT

We had the same problem and log messages.
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful.

Just in case, some other have the same problem, this might be an alternative solution.

Re: %ASA-4: No matching connection for ICMP error message:

CiscoBrownBelt — Mon, 09 Mar 2020 13:49:14 GMT

Good stuff thanks.
I will try that.

Re: %ASA-4: No matching connection for ICMP error message:

flerben33 — Thu, 05 Nov 2020 20:17:01 GMT

I'm seeing this with two devices that are directly connected to the ASA and am wondering what might cause that.

Re: %ASA-4: No matching connection for ICMP error message:

Peter Koltl — Thu, 03 Jun 2021 14:11:27 GMT

Neither explanation is sufficient in my opinion. The Unreachable packet refers to a previous UDP/53 DNS packet (a reply packet actually) that is probably a valid reply to a valid DNS request. Somehow the client refuses to accept the DNS reply as if it had already removed the UDP socket from its connection table but why? The client should accept the DNS response and should not send ICMP unreachable.