04-17-2015 10:58 AM - edited 03-11-2019 10:47 PM
I see several of these errors every few seconds in ASDM:
4 | Apr 17 2015 | 12:54:22 | No matching connection for ICMP error message: icmp src Processing:10.182.12.106 dst Office:10.181.10.10 (type 3, code 3) on Processing interface. Original IP payload: udp src 10.181.10.10/53 dst 10.182.12.106/60356. |
The "Original Payload" source is always either one of our DC's and is always port 53 and destination is our workstation and the port is random.
Is there something I can do to make these errors go away?
I've read up on the error but have not been able to find a solution for my situation.
Thanks,
Carlos
04-17-2015 11:15 PM
Do you have "icmp error" inspection enabled on ASA? This means source of ICMP type and code 3 tells that the protocol 53 is unreachable(not listening to port 53).when 10.182.12.106/60356 is trying to access 10.181.10.10/53. But ASA has not seen the traffic from 10.182.12.106/60356 to 10.181.10.10/53.
This may be an attack or a false positive. You can take captures and verify that though.
04-22-2015 09:18 AM
Yes we do have icmp error inspection enabled.
I know for a fact that 10.181.10.10 is listening to port 53 because it's a domain controller and is open to take DNS requests. How can I troubleshoot this further?
Carlos
04-23-2015 11:37 PM
Hi,
Can you post the show ip and show route output(Sanitized ?)
Thanks and Regards,
Vibhor Amrodia
04-24-2015 06:25 AM
show ip:
GigabitEthernet0/0 ATT_00 X.X.X.X 255.255.255.192 CONFIG
GigabitEthernet0/1 ATT_01 X.X.X.X 255.255.255.224 manual
Port-channel1.110 vlan_110 10.181.10.1 255.255.254.0 CONFIG
Port-channel1.210 vlan_210 10.182.10.1 255.255.255.0 CONFIG
Port-channel1.212 vlan_212 10.182.12.1 255.255.255.0 CONFIG
Port-channel1.216 vlan_216 10.182.16.1 255.255.255.0 CONFIG
Port-channel1.220 vlan_220 10.182.20.1 255.255.255.0 CONFIG
Port-channel1.224 vlan_224 10.182.24.1 255.255.254.0 CONFIG
Port-channel1.230 vlan_230 10.182.30.1 255.255.255.0 CONFIG
Port-channel1.234 vlan_234 10.182.34.1 255.255.255.0 CONFIG
Port-channel1.296 vlan_296 10.182.96.1 255.255.254.0 CONFIG
Port-channel1.299 vlan_299 10.182.99.1 255.255.255.0 CONFIG
Port-channel1.300 vlan_300 10.183.0.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 ATT_00 X.X.X.X 255.255.255.192 CONFIG
GigabitEthernet0/1 ATT_01 X.X.X.X 255.255.255.224 manual
Port-channel1.110 vlan_110 10.181.10.1 255.255.254.0 CONFIG
Port-channel1.210 vlan_210 10.182.10.1 255.255.255.0 CONFIG
Port-channel1.212 vlan_212 10.182.12.1 255.255.255.0 CONFIG
Port-channel1.216 vlan_216 10.182.16.1 255.255.255.0 CONFIG
Port-channel1.220 vlan_220 10.182.20.1 255.255.255.0 CONFIG
Port-channel1.224 vlan_224 10.182.24.1 255.255.254.0 CONFIG
Port-channel1.230 vlan_230 10.182.30.1 255.255.255.0 CONFIG
Port-channel1.234 vlan_234 10.182.34.1 255.255.255.0 CONFIG
Port-channel1.296 vlan_296 10.182.96.1 255.255.254.0 CONFIG
Port-channel1.299 vlan_299 10.182.99.1 255.255.255.0 CONFIG
Port-channel1.300 vlan_300 10.183.0.1 255.255.255.0 CONFIG
show route:
S* 0.0.0.0 0.0.0.0 [1/0] via X.X.X.X, ATT_01
S X.X.X.X 255.255.255.255 [1/0] via X.X.X.X, ATT_00
C 10.181.10.0 255.255.254.0 is directly connected, vlan_110
L 10.181.10.1 255.255.255.255 is directly connected, vlan_110
C 10.182.10.0 255.255.255.0 is directly connected, vlan_210
L 10.182.10.1 255.255.255.255 is directly connected, vlan_210
C 10.182.12.0 255.255.255.0 is directly connected, vlan_212
L 10.182.12.1 255.255.255.255 is directly connected, vlan_212
C 10.182.16.0 255.255.255.0 is directly connected, vlan_216
L 10.182.16.1 255.255.255.255 is directly connected, vlan_216
C 10.182.20.0 255.255.255.0 is directly connected, vlan_220
L 10.182.20.1 255.255.255.255 is directly connected, vlan_220
C 10.182.24.0 255.255.254.0 is directly connected, vlan_224
L 10.182.24.1 255.255.255.255 is directly connected, vlan_224
C 10.182.30.0 255.255.255.0 is directly connected, vlan_230
L 10.182.30.1 255.255.255.255 is directly connected, vlan_230
C 10.182.34.0 255.255.255.0 is directly connected, vlan_234
L 10.182.34.1 255.255.255.255 is directly connected, vlan_234
C 10.182.96.0 255.255.254.0 is directly connected, vlan_296
L 10.182.96.1 255.255.255.255 is directly connected, vlan_296
C 10.182.99.0 255.255.255.0 is directly connected, vlan_299
L 10.182.99.1 255.255.255.255 is directly connected, vlan_299
S 10.183.30.28 255.255.255.255 [1/0] via X.X.X.X, ATT_01
S X.X.X.X 255.255.255.224 [1/0] via X.X.X.X, ATT_00
C X.X.X.X 255.255.255.224 is directly connected, ATT_01
L X.X.X.X 255.255.255.255 is directly connected, ATT_01
S X.X.X.X 255.255.255.255 [1/0] via X.X.X.X, ATT_00
S 172.16.0.0 255.252.0.0 [1/0] via X.X.X.X, ATT_00
S 172.23.212.0 255.255.255.0 [1/0] via X.X.X.X, ATT_00
S 192.168.33.0 255.255.255.0 [1/0] via X.X.X.X, ATT_00
S X.X.X.X 255.255.255.255 [1/0] via X.X.X.X, ATT_00
S X.X.X.X 255.255.255.255 [1/0] via X.X.X.X, ATT_00
C X.X.X.X 255.255.255.192 is directly connected, ATT_00
L X.X.X.X 255.255.255.255 is directly connected, ATT_00
S X.X.X.X 255.255.255.255 [1/0] via X.X.X.X, ATT_00
01-16-2016 11:32 PM
Hi,
Anybody having the answer for this. We are facing the exact same issue.
Thanks!
Ali Ahmad
01-13-2017 09:45 AM
Did you find a resolution for this problem? We have the same problem, and opened a case with Cisco but not much luck.
Thanks
Kuriakose
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: