Goal:

How do I disable these ICMP messages on my ASA? Version 8.0(3)6

Problem:

In my log file I have 343520 entries per hour of just ICMP messages! We're installing some new equipment and it does a plentiful amount of ICMP traffic which is used for its HA functions. Unfortunately, its filling up my ASA firewall logs with ICMP build and teardown messages like this:

Jan  6 09:44:47 10.55.33.7 %ASA-6-305012: Teardown dynamic ICMP translation from PMETA-MGMT:10.55.30.101/31276 to OUTSIDE-IF:65.182.XYZ.51/33778 duration 0:00:30

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/19511 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/19511 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/28984 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 10.55.30.101/28984 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/29240 gaddr 10.55.30.1/0 laddr 10.55.30.1/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/29240 gaddr 10.55.30.1/0 laddr 10.55.30.1/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-305011: Built dynamic ICMP translation from PMETA-MGMT:10.55.30.101/30008 to OUTSIDE-IF:65.182.XYZ.51/34016

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34016 laddr 10.55.30.101/30008

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34016 laddr 10.55.30.101/30008

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33984 laddr 10.55.30.101/20535

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33984 laddr 10.55.30.101/20535

Jan  6 09:44:47 10.55.33.7 %ASA-6-305012: Teardown dynamic ICMP translation from PMETA-MGMT:10.55.30.101/38956 to OUTSIDE-IF:65.182.XYZ.51/33781 duration 0:00:30

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/21047 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/21047 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/11577 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 10.55.30.101/11577 gaddr 10.55.31.50/0 laddr 10.55.31.50/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 10.55.30.101/11833 gaddr 10.55.30.1/0 laddr 10.55.30.1/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 10.55.30.101/11833 gaddr 10.55.30.1/0 laddr 10.55.30.1/0

Jan  6 09:44:47 10.55.33.7 %ASA-6-305011: Built dynamic ICMP translation from PMETA-MGMT:10.55.30.101/12601 to OUTSIDE-IF:65.182.XYZ.51/34020

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built outbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34020 laddr 10.55.30.101/12601

Jan  6 09:44:47 10.55.33.7 %ASA-6-302020: Built inbound ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/34020 laddr 10.55.30.101/12601

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33988 laddr 10.55.30.101/27959

Jan  6 09:44:47 10.55.33.7 %ASA-6-302021: Teardown ICMP connection for faddr 65.182.XYZ.1/0 gaddr 65.182.XYZ.51/33988 laddr 10.55.30.101/27959

Here's what I've tried:

1. I removed icmp inspect from the global policy
2. I setup rules for ICMP for the different zones
3. I've also disabled logging for the ICMP rules

Here's what I've found:

Sadly, the new piece of equipment is not using the same ICMP identifier for its continuous pings. This gear is using 4 IP's on the same subnet each pinging 3 other devices once per second (12pps) which results in the lengthy log files. When I sniff the traffic I see that the ICMP identifier BE and LE are unique for each ping even to the same destination IP. Where as a normal ping like from a Linux box uses the same identifier BE/LE for that ping instance for each ICMP request which only results in a 4 log entries for either 1 ping or 55000 at 1pps or 3000pps.