topic Re: %ASA-4-313005: No matching connection for ICMP error message in Network Security

%ASA-4-313005: No matching connection for ICMP error message:

danilodicesare — Mon, 11 Mar 2019 17:04:17 GMT

Hi all,

i'd like to understand what this message means:

Feb 02 2010 16:30:14 PROD : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:1.1.1.1 dst vlan_inside:2.2.2.2 (type 3, code 3) on outside interface. Original IP payload: udp src 2.2.2.2/53 dst 1.1.1.1/49462.

I've got a ASA and behind some DNS. Often i see message below and i cannot understand why.

may anyone can help me?

tnx

Das

Re: %ASA-4-313005: No matching connection for ICMP error message

sachinraja — Tue, 02 Feb 2010 15:48:01 GMT

Hello Das

Have you allowed ICMP between the zones ? This just shows that ICMP is dropped between the IP addresses specified.. this is just a warning message .. the session may not be established, but need to have a look on the sourcen and destination IPs given in the error.. do you see the source/destination on your network ? Are you getting too many of these, or just once in a while ?

Raj

Re: %ASA-4-313005: No matching connection for ICMP error message

danilodicesare — Tue, 02 Feb 2010 15:55:17 GMT

Hi Raj,

i've got a lot of those and i think icmp is allowed from outside.

Das

Re: %ASA-4-313005: No matching connection for ICMP error message

sachinraja — Tue, 02 Feb 2010 16:15:48 GMT

Hi Das

Its good to have ICMP disabled from outside... you should not have it open unless it is highly essential.. even if it is, its better to disable.. what are the ip addresses shown in the log message ? Is it anything related to your network ? Do you have IPS or CSMARs on your network ? These devices can actually inspect packets on application layer and see if there are any vulnerabilities or attacks on the packets entering your network...

Thanks

Raj

%ASA-4-313005: No matching connection for ICMP error message:

John Peterson — Wed, 13 Jun 2012 20:19:22 GMT

Hi,

I am also having this message on our ASA, we have no idea of the IP address which is trying to connect.

Is there a Cisco refernce to these syslog outpus?

Hi,This is a 4-year old

m.sohnius — Thu, 13 Mar 2014 19:38:09 GMT

Hi,

This is a 4-year old question, yet it comes up top of a relevant Google search, so it might be worth trying to answer:

Search for "%ASA-4-313005" on this page,

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

to see what Cisco has to say about it (admittedly for a PIX, but the dame applies to ASA's).

For the background as to what may be happening look here:

http://silviocesare.wordpress.com/2007/10/20/icmp-destination-unreachable/

On the whole, it's actually a bad idea categorically to deny incoming ICMP messages; echo-reply should certainly be allowed (so that people can ping) but some other ICMP's, including most "unreachable" messages, should also be allowed, particularly if you user community is technical and wants to do things like traceroutes. Also, maximum-MSS negotiation - crucial for proper functioning of TCP - relies on "ICMP unreachable" control messages.

So, follow Cisco's advice and block the attacking address. That is a good way to get rid of the log messages without actually disabling message type 313005 altogether. The traffic itself is blocked anyway - that's what the firewall already did for you, and why it wrote a log message!

I am seeing this too.So it

Vern Brinkman — Wed, 01 Jul 2015 20:12:51 GMT

I am seeing this too.

So it goes out as ICMP and returns UDP?????

udp src 2.2.2..................

icmp src outside:...............

Is this why the ASA can't find a match?