Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3867
Views
0
Helpful
2
Replies

icmp denies type 11 code 0 on my outside interface ASA

ed0001
Level 1
Level 1

‎04-04-2020 10:22 AM - edited ‎04-04-2020 12:02 PM

I see constant floods of  icmp denies type 11 code 0 on my outside ASA interface in the syslog. 

 

Apr 04 2020 11:19:36 {ISP IP} {INTERNAL IP} Deny icmp src outside:{ISP IP} dst inside:{INTERNAL IP} (type 11, code 0) by access-group "Outside" [0x0, 0x0]

 

From my understanding, this is a TTL expiry packet. The source IP address is coming from ISP router that's not on our site. I am not sure what's happening here. Could this be a NAT issue? Anyone had similar problem?

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎04-04-2020 11:49 AM

Hi,
Someone inside your network (the internal IP address in the log) has run traceroute through your firewall, icmp type 11 (time-exceeded) would be expected response. If you are blocking this, then you won't see the hops in the traceroute.

HTH
0 Helpful

ed0001
Level 1
Level 1
In response to Rob Ingram

‎04-04-2020 11:55 AM

Hi RJI,
Thanks for your response. I see these denies flooding the syslogs non stop. This is not a one time thing as you mentioned someone running traceroute internally.
0 Helpful
Customers Also Viewed These Support Documents