Re: %ASA-4-313005: No matching connection for ICMP error message

manik.palekar · ‎09-27-2010

Hello Frdz ...

I have NTP server in DMZ zone and all Inside hosts would get syn with DMZ zone NTP server ..

I have been getting huge No matching connection for ICMP error message between inside host and DMZ NTP server ....

Could you please suggest how to stop this messages ...

Regards ..

Manik Palekar

Jennifer Halim · ‎09-27-2010

Here is what syslog# 313005 means:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771130

You might want to check why you are getting that particular ICMP error messages and who is sending it (ie: the inside host or the DMZ server) so the icmp error messages can be stopped.

manik.palekar · ‎09-30-2010

Hi Jennifer ....

Thanks for the details ..at present these icmp requests are being blocked by Firewall due to No matching connection or there is no exiting icmp session .This results in top denied connection and which is causing high cpu and memory ..

would like to know if there any way to stop these sessions ..

Regards ..

Manik Palekar

Panos Kampanakis · ‎09-30-2010

Please enable "inspect icmp" and "inspect icmp error" and see if it helps.

If you have icmp inspection the FW will create conns per icmp pakcet that is see. Though if the response is coming from the wrong interface you will the "no connection" messages.

I would also suggest capturing the icmp packets on the FW interfaces if the icmp error persist.

PK

%ASA-4-313005: No matching connection for ICMP error message: