Solved: Re: ACE Denied ICMP

robert.horrigan · ‎02-22-2011

Howdy,

I have a few aces that receive the syslog message:

%ACE-4-313004: Denied ICMP type=3, from laddr x.x.x.x on interface vlanx to y.y.y.y: no matching session

That's all well and good but the IP addresses in these messages are not local to the site! They do happen to be site local thousands of miles away. One of the addresses, x.x.x.x, happens to be an interface on the router as well (although not y.y.y.y's directly connected interface) There's no possible way the x network would ping the y network via the ACE's data vlan across the WAN. I have no possible clue why the ACE could be getting such traffic. Has anyone ever run into this and know what the cause could be? Any feedback would be much appreciated.

/r

Rob

pthadani · ‎02-23-2011

%ACE-4-313004: Denied ICMP type=3, from laddr x.x.x.x on interface vlanx to y.y.y.y: no matching session

The error message is telling you that there is a ICMP type 3 packet hitting vlan x destined to y.y.y.y.

The ACE is denying it because either:

1- ICMP echo replies are received without a valid echo request already passed across the ACE.

2- ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE.

The only way to find out why the ping is going out to y.y.y.y would be by doing a packet capture and checking the source of those packets. Once you have that figured out you can either correct the source or disable the checks on the ACE.

Disabling icmp-guard will prevent these messages from being dropped and the logging of the error. Also, if you have a firewall already in front of the ACE you probably will not have any security issues.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/if.html#wp1087186

You can also disable logging for that specific message: host1/context(config)# no logging message 313004

View solution in original post

Marko Leopold · ‎02-23-2011

type 3 means destination unreachable. Wiki says" The Destination Unreachable message is an ICMP message which is generated by the host or its inbound gateway[1] to inform the client that the destination is unreachable for some reason. A Destination Unreachable message may be generated as a result of a TCP, UDP or another ICMP transmission. Unreachable TCP ports notably respond with TCP RST rather than a Destination Unreachable code 3 as might be expected."

pthadani · ‎02-23-2011

%ACE-4-313004: Denied ICMP type=3, from laddr x.x.x.x on interface vlanx to y.y.y.y: no matching session

The error message is telling you that there is a ICMP type 3 packet hitting vlan x destined to y.y.y.y.

The ACE is denying it because either:

1- ICMP echo replies are received without a valid echo request already passed across the ACE.

2- ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE.

The only way to find out why the ping is going out to y.y.y.y would be by doing a packet capture and checking the source of those packets. Once you have that figured out you can either correct the source or disable the checks on the ACE.

Disabling icmp-guard will prevent these messages from being dropped and the logging of the error. Also, if you have a firewall already in front of the ACE you probably will not have any security issues.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/if.html#wp1087186

You can also disable logging for that specific message: host1/context(config)# no logging message 313004

robert.horrigan · ‎02-23-2011

Thanks I'll put a sniffer in place and see what it looks like.