Re: No matching connection for ICMP error message.

CiscoPurpleBelt · ‎03-20-2018

See diagram attachment.

I receive the following error in the logs of the ASA:

no matching connection for ICMP error message: icmp src Inside: 10.10.10.1 dst identity: 10.10.10.251 (type 3 code 13) on Inside interface. Original payload: icmp src 10.10.10.251 dst 10.10.10.1 (type 0, code 0)

So basically I am pining from the internal side (left router/10.10.10.1) to internal IP of FW (10.10.10.251).

I added a network object (Internal Lan) to allow all 192 address so I entered 192.168.0.0 /16 and applied this to allow ICMP to the internal and external interfaces of the FW. Obviously it is not working. Can someone point me in right direction?

Marvin Rhoads · ‎03-20-2018

Are you inspecting icmp in your class-map (which is referenced by the policy-map and applied via the service policy)?

By default an ASA doesn't inspect icmp and thus has no entry in the state table for it, resulting in the error message like the one you mentioned.

CiscoPurpleBelt · ‎03-20-2018

I did show run-conf | inc class-map and got:
class-map cmap-https
class-map inspection_default
class-map cmap-http

So basically, I created a new interface to the FW to use for another new lab network. I applied all the same ACLs to the new interface. Ping would work from IPs that are on the ACL statements. I simply added the 10.10.X networks to those ACLs but it won't work.

Marvin Rhoads · ‎03-20-2018

You should see something like this in the config. Note the inspect icmp statement:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect pptp

CiscoPurpleBelt · ‎03-20-2018

OK under policy-map global_policy there is no "inspect icmp".

Rob Ingram · ‎03-20-2018

Can you share the configuration of the ASA please?

Run the command debug icmp trace and then ping the inside interface of the firewall, what is the output in the logs?

Have you run packet tracer and see what it says?

CiscoPurpleBelt · ‎03-20-2018

I will have to check it out tomorrow.
So logs do show denies coming from the devices I ping from (all device except FW as shown in diagram), but I have entries to allow the anything on 192.168 (192.168.0.0 /16) in addition to the device IPs shown on diagram, but they still get denied. I added them as source and destinations and allowing icmp echo replies. Sound like anything I am missing?

CiscoPurpleBelt · ‎03-23-2018

Sorry I can't get the config on here.
Packet tracer shows everything is good when doing tests for TCP, UDP, HTTP, TCP- echo, ICMP echo-reply - between the internal devices and Edge router. Right now only the edge router will ping the FW from the CLI.
Strange. Given I get those results, what you think is happening?

Rob Ingram · ‎03-23-2018

It would help if we had the configuration of the firewall and router to assist the troubleshooting. Please save the configuration to files and upload on here.
Did you run a debug icmp trace when you run a ping test as previously suggested?

CiscoPurpleBelt · ‎03-26-2018

I will see if I can get configs.

I will run that command and let you know.

Marvin Rhoads · ‎03-21-2018

If you don't inspect icmp, the firewall won't allow the icmp echo reply return traffic that is required for ping to work. Add that inspection and try it again.

CiscoPurpleBelt · ‎03-23-2018

I added a rule to allow the IPs via the GUI to ping. The service I put was "ping". Are you saying I still must have an inspection rule?

Rob Ingram · ‎03-23-2018

From the cli add icmp inspect as Marvin suggested

policy-map global_policy
 class inspection_default
 inspect icmp

CiscoPurpleBelt · ‎03-24-2018

Ok I will try that this week

CiscoPurpleBelt · ‎03-24-2018

Ok.

The edge router connected to the Outside interface IS able to ping the FW.