Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
46166
Views
5
Helpful
6
Replies

%ASA-4-313005: No matching connection for ICMP error message:

danilodicesare
Level 1
Level 1

‎02-02-2010 07:42 AM - edited ‎03-11-2019 10:04 AM

Hi all,

i'd like to understand what this message means:

Feb 02 2010 16:30:14 PROD : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:1.1.1.1 dst vlan_inside:2.2.2.2 (type 3, code 3) on outside interface.  Original IP payload: udp src 2.2.2.2/53 dst 1.1.1.1/49462.

I've got a ASA and behind some DNS. Often i see message below and i cannot understand why.

may anyone can help me?

tnx

Das

Labels:
0 Helpful
6 Replies 6

sachinraja
Level 9
Level 9

‎02-02-2010 07:48 AM

Hello Das

Have you allowed ICMP between the zones ? This just shows that ICMP is dropped between the IP addresses specified.. this is just a warning message .. the session may not be established, but need to have a look on the sourcen and destination IPs given in the error.. do you see the source/destination on your network ? Are you getting too many of these, or just once in a while ?

Raj

0 Helpful

danilodicesare
Level 1
Level 1
In response to sachinraja

‎02-02-2010 07:55 AM

Hi Raj,

i've got a lot of those and i think icmp is allowed from outside.

Das

0 Helpful

sachinraja
Level 9
Level 9
In response to danilodicesare

‎02-02-2010 08:15 AM

Hi Das

Its good to have ICMP disabled from outside... you should not have it open unless it is highly essential.. even if it is, its better to disable.. what are the ip addresses shown in the log message ? Is it anything related to your network ? Do you have IPS or CSMARs on your network ? These devices can actually inspect packets on application layer and see if there are any vulnerabilities or attacks on the packets entering your network...

Thanks

Raj

0 Helpful

John Peterson
Level 1
Level 1
In response to sachinraja

‎06-13-2012 01:19 PM

Hi,

I am also having this message on our ASA, we have no idea of the IP address which is trying to connect.

Is there a Cisco refernce to these syslog outpus?

0 Helpful

m.sohnius
Level 1
Level 1

‎03-13-2014 12:38 PM

Hi,


This is a 4-year old question, yet it comes up top of a relevant Google search, so it might be worth trying to answer:

Search for "%ASA-4-313005" on this page,

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

to see what Cisco has to say about it (admittedly for a PIX, but the dame applies to ASA's). 

For the background as to what may be happening look here:

http://silviocesare.wordpress.com/2007/10/20/icmp-destination-unreachable/

On the whole, it's actually a bad idea categorically to deny incoming ICMP messages; echo-reply should certainly be allowed (so that people can ping) but some other ICMP's, including most "unreachable" messages, should also be allowed, particularly if you user community is technical and wants to do things like traceroutes.  Also, maximum-MSS negotiation - crucial for proper functioning of TCP - relies on "ICMP unreachable" control messages.

So, follow Cisco's advice and block the attacking address.  That is a good way to get rid of the log messages without actually disabling message type 313005 altogether.  The traffic itself is blocked anyway - that's what the firewall already did for you, and why it wrote a log message!

M.

Vern Brinkman
Level 1
Level 1

‎07-01-2015 01:12 PM

I am seeing this too.

So it goes out as ICMP and returns UDP?????

udp src 2.2.2..................

icmp src outside:...............

 

Is this why the ASA can't find a match?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card