01-19-2011 08:57 AM - edited 03-11-2019 12:37 PM
Has anyone noticed issues with icmp inspection not working on certain conversations,
or can someone think of another explanation for this?
%ASA-6-302020: Built outbound ICMP connection for faddr XX.XX.XX.XX/0 gaddr YY.YY.YY.YY/1341 laddr YY.YY.YY.YY/1341
%ASA-4-313004: Denied ICMP type=0, from laddr XX.XX.XX.XX on interface outside to YY.YY.YY.YY: no matching session
%ASA-6-302021: Teardown ICMP connection for faddr XX.XX.XX.XX/0 gaddr YY.YY.YY.YY/1341 laddr YY.YY.YY.YY/1341
ICMP inspection is on and counters are showing packets passed/dropped. CPU/memory usage are nominal. There is no NAT going on.
The outside ACL even permits inbound ICMP though that is beside the point for reply packets IIRC.
Most ICMP operations just work. I can't get the messages to replicate from a test point, only my customers seem to be able to generate them :-)
Also we've had one complaint that would seem to point to PMTUD problems, and I do see some type-3 failures, but no code 4's, only code 1's.
However even those code 1's should be able to pass, as there are active sessions.
The problem seems to persist for certain pairs of sender/receiver, but is not especially widespread.
01-20-2011 12:45 PM
Hi.
Would be good to capture the packet that left the ASA and the reply packet that was dropped to see if there is something wrong.
it could be the echo reply that was dropped wasn't necessarily matching the echo request forwarded by the ASA (for example wrong icmp id).
also do you have "inspect icmp" in your global policy-map? if not, try enabling it and see if there is a difference.
for other error types/codes, if you have "inspect icmp", you should make sure you have in your policy-map that you also have "inspect icmp error" as well as "inspect icmp".
if no "inspect icmp" is enabled, and your acls are permitting the icmp packet inbound, then it should pass fine.
Regards,
Fadi.
01-21-2011 07:18 AM
Hi,
Yes, "inspect icmp" is in the global policy map.
About "inspect icmp error" -- does that really do anything when there is no NAT? The documentation just says that it performs NAT fixups.
Something I noticed is that there seems to be a difference between an ACE that just says "permit icmp" and an ACE that uses an ICMP service group object. The latter seems to let more things through. This is pretty counterintuitive, and it would be good to see this behavior documented somewhere.
01-21-2011 07:28 AM
if your ace is saying "permit icmp any any" then it should allow the icmp packets regardless if you use object-groups or not. unless in your ace is specifying some specic icmp types to permit.
can you paste here both ACEs you are referring to?
regards,
Fadi.
01-21-2011 08:00 AM
permit icmp any inside_globals
versus
object-group icmp-type ICMPstuff
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
permit icmp any inside_globals object-group ICMPstuff
...both configurations still have spurious drops, but the second one seems to have less drops.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide