Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30509
Views
15
Helpful
8
Replies

%ASA-4: No matching connection for ICMP error message:

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎02-19-2019 01:29 PM - edited ‎03-12-2019 04:22 AM

So while looking at the logging monitor in the ASDM, I see the following below when just accessing webpages from my PC.

Can anyone help explain what this all means as I am not pinging anything.

 

 

4 Feb 19 2019 21:24:58 313005         No matching connection for ICMP error message: icmp src inside: X.X.X.98 dst outside: X.X.X.11 (type 3, code 3) on inside interface. Original IP payload: udp src X.X.X.11/53 dst X.X.X.98/52906.

 

Syslog Details:

 

%ASA-4-313005: No matching connection for ICMP error message:
icmp_msg_info on interface_name interface. Original IP payload:
embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address [([idfw_user | FQDN_string], sg_info)] dst dest_interface_name:dest_address [([idfw_user | FQDN_string], sg_info)] (type icmp_type, code icmp_code)
embedded_frame_info = prot src source_address/source_port [([idfw_user |
FQDN_string], sg_info)] dst dest_address/dest_port [(idfw_user|FQDN_string),
sg_info]
ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA.

5 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-19-2019 08:06 PM

ICMP type 3 is destination unreachable. As the name implies, ASA received
ICMP unreachable message and dropped it because there is no ICMP active
connection for same source destination.

Typically this is because you initiated a connected to an IP address xyz
and when the packet passed ASA and arrived at your upstream router, the
router can't route this packet because there is no route entry in its
table. The router will respond with destination unreachable message to you.
Now ASA will drop this packet because you don't have active connection for
ICMP and you don't have an ACL to allow ICMP unreachable.

Hope its clear now. To fix this issue look at your upstream router (or l3
switch) and see why it can't route packets. Also, if you don't have
security concerns allow ICMP unreachable messages through an ACL.

View solution in original post

Go to solution
Kevin_W
Level 1
Level 1

‎03-09-2020 02:50 AM

We had the same problem and log messages. 
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful. 


Just in case, some other have the same problem, this might be an alternative solution.

View solution in original post

8 Replies 8

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-19-2019 08:06 PM

ICMP type 3 is destination unreachable. As the name implies, ASA received
ICMP unreachable message and dropped it because there is no ICMP active
connection for same source destination.

Typically this is because you initiated a connected to an IP address xyz
and when the packet passed ASA and arrived at your upstream router, the
router can't route this packet because there is no route entry in its
table. The router will respond with destination unreachable message to you.
Now ASA will drop this packet because you don't have active connection for
ICMP and you don't have an ACL to allow ICMP unreachable.

Hope its clear now. To fix this issue look at your upstream router (or l3
switch) and see why it can't route packets. Also, if you don't have
security concerns allow ICMP unreachable messages through an ACL.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Mohammed al Baqari

‎02-20-2019 06:13 AM

Ok thanks!

 

When you say router can't route the packets I am a bit confused. Wouldn't it route to the internet webpage via default 0.0.0.0 route or are you describing a different kind or route process that happens?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to CiscoPurpleBelt

‎02-20-2019 08:09 AM

Ideally you are right but this isn't happening which you need to look at

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Mohammed al Baqari

‎02-21-2019 03:25 PM

Awesome thanks!
Perhaps some misconfiguration or something. I will look.
0 Helpful

Go to solution
flerben33
Level 1
Level 1
In response to Mohammed al Baqari

‎11-05-2020 12:16 PM - edited ‎11-05-2020 12:17 PM

I'm seeing this with two devices that are directly connected to the ASA and am wondering what might cause that.

0 Helpful

Go to solution
Kevin_W
Level 1
Level 1

‎03-09-2020 02:50 AM

We had the same problem and log messages. 
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful. 


Just in case, some other have the same problem, this might be an alternative solution.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Kevin_W

‎03-09-2020 06:49 AM

Good stuff thanks.
I will try that.
0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎06-03-2021 07:11 AM

Neither explanation is sufficient in my opinion. The Unreachable packet refers to a previous UDP/53 DNS packet (a reply packet actually) that is probably a valid reply to a valid DNS request. Somehow the client refuses to accept the DNS reply as if it had already removed the UDP socket from its connection table but why? The client should accept the DNS response and should not send ICMP unreachable.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card