cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46299
Views
5
Helpful
6
Replies

%ASA-4-313005: No matching connection for ICMP error message:

danilodicesare
Level 1
Level 1

Hi all,

i'd like to understand what this message means:

Feb 02 2010 16:30:14 PROD : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:1.1.1.1 dst vlan_inside:2.2.2.2 (type 3, code 3) on outside interface.  Original IP payload: udp src 2.2.2.2/53 dst 1.1.1.1/49462.

I've got a ASA and behind some DNS. Often i see message below and i cannot understand why.

may anyone can help me?

tnx

Das

6 Replies 6

sachinraja
Level 9
Level 9

Hello Das

Have you allowed ICMP between the zones ? This just shows that ICMP is dropped between the IP addresses specified.. this is just a warning message .. the session may not be established, but need to have a look on the sourcen and destination IPs given in the error.. do you see the source/destination on your network ? Are you getting too many of these, or just once in a while ?

Raj

Hi Raj,

i've got a lot of those and i think icmp is allowed from outside.

Das

Hi Das

Its good to have ICMP disabled from outside... you should not have it open unless it is highly essential.. even if it is, its better to disable.. what are the ip addresses shown in the log message ? Is it anything related to your network ? Do you have IPS or CSMARs on your network ? These devices can actually inspect packets on application layer and see if there are any vulnerabilities or attacks on the packets entering your network...

Thanks

Raj

Hi,

I am also having this message on our ASA, we have no idea of the IP address which is trying to connect.

Is there a Cisco refernce to these syslog outpus?

m.sohnius
Level 1
Level 1

Hi,


This is a 4-year old question, yet it comes up top of a relevant Google search, so it might be worth trying to answer:

Search for "%ASA-4-313005" on this page,

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

to see what Cisco has to say about it (admittedly for a PIX, but the dame applies to ASA's). 

For the background as to what may be happening look here:

http://silviocesare.wordpress.com/2007/10/20/icmp-destination-unreachable/

On the whole, it's actually a bad idea categorically to deny incoming ICMP messages; echo-reply should certainly be allowed (so that people can ping) but some other ICMP's, including most "unreachable" messages, should also be allowed, particularly if you user community is technical and wants to do things like traceroutes.  Also, maximum-MSS negotiation - crucial for proper functioning of TCP - relies on "ICMP unreachable" control messages.

So, follow Cisco's advice and block the attacking address.  That is a good way to get rid of the log messages without actually disabling message type 313005 altogether.  The traffic itself is blocked anyway - that's what the firewall already did for you, and why it wrote a log message!

M.

Vern Brinkman
Level 1
Level 1

I am seeing this too.

So it goes out as ICMP and returns UDP?????

udp src 2.2.2..................

icmp src outside:...............

 

Is this why the ASA can't find a match?

 

Review Cisco Networking for a $25 gift card