Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1525
Views
0
Helpful
4
Replies

ASA 8.3 L2 mode, strange ICMP state failures

b.julin
Level 3
Level 3

‎01-19-2011 08:57 AM - edited ‎03-11-2019 12:37 PM

Has anyone noticed issues with icmp inspection not working on certain conversations,

or can someone think of another explanation for this?

%ASA-6-302020: Built outbound ICMP connection for faddr XX.XX.XX.XX/0 gaddr YY.YY.YY.YY/1341 laddr YY.YY.YY.YY/1341

%ASA-4-313004: Denied ICMP type=0, from laddr XX.XX.XX.XX on interface outside to YY.YY.YY.YY: no matching session

%ASA-6-302021: Teardown ICMP connection for faddr XX.XX.XX.XX/0 gaddr YY.YY.YY.YY/1341 laddr YY.YY.YY.YY/1341

ICMP inspection is on and counters are showing packets passed/dropped.  CPU/memory usage are nominal. There is no NAT going on.

The outside ACL even permits inbound ICMP though that is beside the point for reply packets IIRC.

Most ICMP operations just work.  I can't get the messages to replicate from a test point, only my customers seem to be able to generate them :-)

Also we've had one complaint that would seem to point to PMTUD problems, and I do see some type-3 failures, but no code 4's, only code 1's.

However even those code 1's should be able to pass, as there are active sessions.

The problem seems to persist for certain pairs of sender/receiver, but is not especially widespread.

Labels:
0 Helpful
4 Replies 4

fadlouni
Level 1
Level 1

‎01-20-2011 12:45 PM

Hi.

Would be good to capture the packet that left the ASA and the reply packet that was dropped to see if there is something wrong.

it could be the echo reply that was dropped wasn't necessarily matching  the echo request forwarded by the ASA (for example wrong icmp id).

also do you have "inspect icmp" in your global policy-map? if not, try enabling it and see if there is a difference.

for other error types/codes, if you have "inspect icmp", you should make sure you have in your policy-map that you also have "inspect icmp error" as well as "inspect icmp".

if no "inspect icmp" is enabled, and your acls are permitting the icmp packet inbound, then it should pass fine.

Regards,


Fadi.

0 Helpful

b.julin
Level 3
Level 3
In response to fadlouni

‎01-21-2011 07:18 AM

Hi,

Yes, "inspect icmp" is in the global policy map.

About "inspect icmp error" -- does that really do anything when there is no NAT?  The documentation just says that it performs NAT fixups.

Something I noticed is that there seems to be a difference between an ACE that just says "permit icmp" and an ACE that uses an ICMP service group object.  The latter seems to let more things through.  This is pretty counterintuitive, and it would be good to see this behavior documented somewhere.

0 Helpful

fadlouni
Level 1
Level 1
In response to b.julin

‎01-21-2011 07:28 AM

if your ace is saying "permit icmp any any" then it should allow the icmp packets regardless if you use object-groups or not. unless in your ace is specifying some specic icmp types to permit.

can you paste here both ACEs you are referring to?

regards,

Fadi.

0 Helpful

b.julin
Level 3
Level 3
In response to fadlouni

‎01-21-2011 08:00 AM

permit icmp any inside_globals

versus

object-group icmp-type ICMPstuff
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded

permit icmp any inside_globals object-group ICMPstuff

...both configurations still have spurious drops, but the second one seems to have less drops.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card