Solved: %ASA-4: No matching connection for ICMP error message:

CiscoBrownBelt · ‎02-19-2019

So while looking at the logging monitor in the ASDM, I see the following below when just accessing webpages from my PC.

Can anyone help explain what this all means as I am not pinging anything.

4

Feb 19 2019

21:24:58

313005

No matching connection for ICMP error message: icmp src inside: X.X.X.98 dst outside: X.X.X.11 (type 3, code 3) on inside interface. Original IP payload: udp src X.X.X.11/53 dst X.X.X.98/52906.

Syslog Details:

%ASA-4-313005: No matching connection for ICMP error message:
icmp_msg_info on interface_name interface. Original IP payload:
embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address [([idfw_user | FQDN_string], sg_info)] dst dest_interface_name:dest_address [([idfw_user | FQDN_string], sg_info)] (type icmp_type, code icmp_code)
embedded_frame_info = prot src source_address/source_port [([idfw_user |
FQDN_string], sg_info)] dst dest_address/dest_port [(idfw_user|FQDN_string),
sg_info]
ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA.

Mohammed al Baqari · ‎02-19-2019

ICMP type 3 is destination unreachable. As the name implies, ASA received
ICMP unreachable message and dropped it because there is no ICMP active
connection for same source destination.

Typically this is because you initiated a connected to an IP address xyz
and when the packet passed ASA and arrived at your upstream router, the
router can't route this packet because there is no route entry in its
table. The router will respond with destination unreachable message to you.
Now ASA will drop this packet because you don't have active connection for
ICMP and you don't have an ACL to allow ICMP unreachable.

Hope its clear now. To fix this issue look at your upstream router (or l3
switch) and see why it can't route packets. Also, if you don't have
security concerns allow ICMP unreachable messages through an ACL.

View solution in original post

Kevin_W · ‎03-09-2020

We had the same problem and log messages.
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful.

Just in case, some other have the same problem, this might be an alternative solution.

View solution in original post

Mohammed al Baqari · ‎02-19-2019

ICMP type 3 is destination unreachable. As the name implies, ASA received
ICMP unreachable message and dropped it because there is no ICMP active
connection for same source destination.

Typically this is because you initiated a connected to an IP address xyz
and when the packet passed ASA and arrived at your upstream router, the
router can't route this packet because there is no route entry in its
table. The router will respond with destination unreachable message to you.
Now ASA will drop this packet because you don't have active connection for
ICMP and you don't have an ACL to allow ICMP unreachable.

Hope its clear now. To fix this issue look at your upstream router (or l3
switch) and see why it can't route packets. Also, if you don't have
security concerns allow ICMP unreachable messages through an ACL.

CiscoBrownBelt · ‎02-20-2019

Ok thanks!

When you say router can't route the packets I am a bit confused. Wouldn't it route to the internet webpage via default 0.0.0.0 route or are you describing a different kind or route process that happens?

Mohammed al Baqari · ‎02-20-2019

Ideally you are right but this isn't happening which you need to look at

CiscoBrownBelt · ‎02-21-2019

Awesome thanks!
Perhaps some misconfiguration or something. I will look.

flerben33 · ‎11-05-2020

I'm seeing this with two devices that are directly connected to the ASA and am wondering what might cause that.

Kevin_W · ‎03-09-2020

We had the same problem and log messages.
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful.

Just in case, some other have the same problem, this might be an alternative solution.

CiscoBrownBelt · ‎03-09-2020

Good stuff thanks.
I will try that.

Peter Koltl · ‎06-03-2021

Neither explanation is sufficient in my opinion. The Unreachable packet refers to a previous UDP/53 DNS packet (a reply packet actually) that is probably a valid reply to a valid DNS request. Somehow the client refuses to accept the DNS reply as if it had already removed the UDP socket from its connection table but why? The client should accept the DNS response and should not send ICMP unreachable.