Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2859
Views
0
Helpful
1
Replies

%ASA-3-313001:Denied ICMP type=3, code=3 from X.X.X.X on interface Outside

syamkumarrao
Level 1
Level 1

‎08-19-2016 10:59 AM - edited ‎03-12-2019 01:09 AM

Hi,

I tried to enable SNMP trap monitoring for my ASA firewall to a CA spetrum tool at remote location.

When I enabled the traps immedaitly throwing the below error. (Intermittent Firewalls the ports are not opened)

%ASA-3-313001: Denied ICMP type=3, code=3 from X.X.X.X on interface Outside

%ASA-3-313001: Denied ICMP type=3, code=3 from X.X.X.X on interface Outside

Regards,

Syam

Labels:
0 Helpful
1 Reply 1

kkhapeka
Cisco Employee
Cisco Employee

‎08-19-2016 12:26 PM

ASA is receiving the ICMP reply messages from x.x.x.x on OUTSIDE interface.

By default ASA allows only those ICMP response messages whose request was allowed ASA in the first place, in simpler terms ASA will allow only those ICMP response for whom session already exist on ASA.

So, ASA is dropping ICMP response messages on OUTSIDE interface.

You need to check whether the source IP x.x.x.x is same everytime or is it changing every time or do you see a pattern in the source IP of those ICMP messages.

If that x.x.x.x is a known IP then you need to check why it is generating ICMP response so frequently.

The behaviour which we are observing is expected behaviour.

Please provide the sanitised SNMP configuration, so that we can check whether it is possible to supress such traps or not.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card