Hi, Seems to me that the

Ramesh Babu · ‎08-03-2015

Dear Team,

We are getting following error, kindly tell me meaning for this error.

Jul 31 04:12:12 Jul 31 2015 04:12:11: %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:19.18.54.2 dst inside:10.8.1.11 (type 3, code 3) on outside interface. Original IP payload: udp src 10.8.1.11/53 dst 19.18.54.2/54991.

We unable to identify the what is the exact source ip address.

Please tell me how to resolve this issues.

Jouni Forss · ‎08-03-2015

Hi,

Seems to me that the internal host is probably trying to connect to some remote host and the ASA receives a Type 3 Code 3 ICMP error message that tells that the remote host in unreachable or the destination port was not listening/replying to a connection attempt.

Does the output of "show run policy-map" show a "inspect icmp error" configuration under it? To my understanding it not enabled by default. Also "inspect icmp" is not enabled by default.

But as I said, to my understanding the message tells us that the ASA can not see a matching connection to which this ICMP Error message corresponds to. It might be because missing the "inspect icmp error". I am not really sure. The actual ICMP error message incoming seems to suggest that your internal host(s) are trying to connect to some remote host that is not accepting the connections or just is not listening on that port.

- Jouni

ASA error logs