topic Re: No matching connection for ICMP error message. in Network Security

No matching connection for ICMP error message.

CiscoBrownBelt — Fri, 21 Feb 2020 15:32:27 GMT

See diagram attachment.

I receive the following error in the logs of the ASA:

no matching connection for ICMP error message: icmp src Inside: 10.10.10.1 dst identity: 10.10.10.251 (type 3 code 13) on Inside interface. Original payload: icmp src 10.10.10.251 dst 10.10.10.1 (type 0, code 0)

So basically I am pining from the internal side (left router/10.10.10.1) to internal IP of FW (10.10.10.251).

I added a network object (Internal Lan) to allow all 192 address so I entered 192.168.0.0 /16 and applied this to allow ICMP to the internal and external interfaces of the FW. Obviously it is not working. Can someone point me in right direction?

Re: No matching connection for ICMP error message.

Marvin Rhoads — Tue, 20 Mar 2018 15:45:12 GMT

Are you inspecting icmp in your class-map (which is referenced by the policy-map and applied via the service policy)?

By default an ASA doesn't inspect icmp and thus has no entry in the state table for it, resulting in the error message like the one you mentioned.

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Tue, 20 Mar 2018 15:56:01 GMT

I did show run-conf | inc class-map and got:
class-map cmap-https
class-map inspection_default
class-map cmap-http

So basically, I created a new interface to the FW to use for another new lab network. I applied all the same ACLs to the new interface. Ping would work from IPs that are on the ACL statements. I simply added the 10.10.X networks to those ACLs but it won't work.

Re: No matching connection for ICMP error message.

Marvin Rhoads — Tue, 20 Mar 2018 16:00:41 GMT

You should see something like this in the config. Note the inspect icmp statement:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect pptp

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Tue, 20 Mar 2018 17:25:39 GMT

OK under policy-map global_policy there is no "inspect icmp".

Re: No matching connection for ICMP error message.

Rob Ingram — Tue, 20 Mar 2018 18:40:00 GMT

Can you share the configuration of the ASA please?

Run the command debug icmp trace and then ping the inside interface of the firewall, what is the output in the logs?

Have you run packet tracer and see what it says?

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Tue, 20 Mar 2018 21:00:30 GMT

I will have to check it out tomorrow.
So logs do show denies coming from the devices I ping from (all device except FW as shown in diagram), but I have entries to allow the anything on 192.168 (192.168.0.0 /16) in addition to the device IPs shown on diagram, but they still get denied. I added them as source and destinations and allowing icmp echo replies. Sound like anything I am missing?

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Tue, 20 Mar 2018 21:00:43 GMT

So logs do show denies coming from the devices I ping from (all device except FW as shown in diagram), but I have entries to allow the anything on 192.168 (192.168.0.0 /16) in addition to the device IPs shown on diagram, but they still get denied. I added them as source and destinations and allowing icmp echo replies. Sound like anything I am missing?

Re: No matching connection for ICMP error message.

Rob Ingram — Tue, 20 Mar 2018 21:49:37 GMT

On your diagram, what looks to be the inside interface of the FW has an IP address of 10.10.20.10.2 /24 - which is invalid, is that just incorrect on the diagram? You previously said the inside IP of the FW is 10.10.10.251.

You mention the 192.168.0.0/16 subnet, do you have a route on the FW to that network?

This will all become clearer tomorrow when we can have a look at the configuration of the ASA.

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Tue, 20 Mar 2018 22:30:41 GMT

Sorry diagram is wrong - I have updated it and attached it.

FW is 10.10.20.2 and router g0/1 has ip 10.10.20.1.
Mistake again I meant to say 10.10 instead of 192.168.

Yes I have the following route on the FW: route inside 10.10.0.0 255.255.0.0 10.10.20.1 to point to the router mgmt. sub interface to get to any 10.10.X.X traffic as I will have more than 10.10.10.X subnets.

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Tue, 20 Mar 2018 22:31:09 GMT

Forgot to attach.

Re: No matching connection for ICMP error message.

Marvin Rhoads — Wed, 21 Mar 2018 09:51:45 GMT

If you don't inspect icmp, the firewall won't allow the icmp echo reply return traffic that is required for ping to work. Add that inspection and try it again.

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Fri, 23 Mar 2018 19:06:03 GMT

I added a rule to allow the IPs via the GUI to ping. The service I put was "ping". Are you saying I still must have an inspection rule?

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Fri, 23 Mar 2018 20:43:22 GMT

Sorry I can't get the config on here.
Packet tracer shows everything is good when doing tests for TCP, UDP, HTTP, TCP- echo, ICMP echo-reply - between the internal devices and Edge router. Right now only the edge router will ping the FW from the CLI.
Strange. Given I get those results, what you think is happening?

Re: No matching connection for ICMP error message.

Rob Ingram — Fri, 23 Mar 2018 21:14:13 GMT

From the cli add icmp inspect as Marvin suggested

policy-map global_policy
 class inspection_default
 inspect icmp

Re: No matching connection for ICMP error message.

Rob Ingram — Fri, 23 Mar 2018 21:16:39 GMT

It would help if we had the configuration of the firewall and router to assist the troubleshooting. Please save the configuration to files and upload on here.
Did you run a debug icmp trace when you run a ping test as previously suggested?

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Sat, 24 Mar 2018 14:23:47 GMT

Ok I will try that this week

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Sat, 24 Mar 2018 14:25:07 GMT

Ok.

The edge router connected to the Outside interface IS able to ping the FW.

Re: No matching connection for ICMP error message.

CiscoBrownBelt — Mon, 26 Mar 2018 14:26:12 GMT

I will see if I can get configs.

I will run that command and let you know.