Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12451
Views
5
Helpful
7
Replies

Cisco ASA 5505 Denied ICMP type=0, no matching session

Go to solution
Johan Kardell
Level 1
Level 1

‎01-15-2015 04:19 AM - edited ‎03-11-2019 10:20 PM

Hi

I setup routing in my ASA to a lab environment (static routing from the ASA), I can from my Lab ping my cisco ASA, and from my Cisco ASA ping the Lab, I can't ping from the lab to, for example my cisco switch connected behind the ASA (or anything else on my LAN), when I do this I get the following message in the ASA (172.16.30.2 is my Switch):

Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session

 

I don't know why I get this message, if it's because the ASA complains about some kind of asymmetric routing or some rule in the ASA that's blocking this, the thing is that in this case that's not really important :), just curious if you can permit this in some way?

The lab consists of Cisco routers.

Anyone know who to permit this in the ASA? Would be really helpful!!!! :) 

(Image on ASA is:asa922-4-k8.bin)


Thanks for reading this!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-15-2015 07:08 AM

Can you post a picture of your topology?

View solution in original post

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Johan Kardell

‎01-15-2015 10:41 AM

As a test can you put a static route in your switch?

ip route 172.16.1.10 255.255.255.255 172.16.30.13

Now try and ping 172.16.1.10

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-15-2015 07:08 AM

Can you post a picture of your topology?

0 Helpful

Go to solution
Johan Kardell
Level 1
Level 1
In response to Collin Clark

‎01-15-2015 07:27 AM

Sure!

The Lab is on a computer running GNS3, this might be what the ASA don't like...?

A bit more explanation:

I have connected my GNS3 environment to my real network.

I have setup BGP and OSPF in GNS3 and static routes in my Cisco ASA to the GNS3 network

(in the ASA 172.16.1.0/24 and 192.168.1.0/24 to the interface on VMA-01R facing my real network, that's

 

route inside 172.16.1.0 255.255.255.0 172.16.30.13

route inside 192.168.1.0 255.255.255.0 172.16.30.13).

 

in RNK-02R I have a default route (that's coming via BGP from VMA-01R) to VMA-01R and in VMA-01R I have the connection to my real environment.

 

From the ASA I can successfully ping my GNS3 routers, and from GNS3 I can ping the Cisco ASA firewall, but when I try to ping anything else on my internal network the ASA complains with the following message:

 

Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session

 

(172.16.30.2 is in this case the CiscoSwitch, the CiscoSwitch and the Cisco ASA is on my real network).

Preview file
181 KB
0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Johan Kardell

‎01-15-2015 10:41 AM

As a test can you put a static route in your switch?

ip route 172.16.1.10 255.255.255.255 172.16.30.13

Now try and ping 172.16.1.10

0 Helpful

Go to solution
Johan Kardell
Level 1
Level 1
In response to Collin Clark

‎01-15-2015 11:04 AM

Thanks, but I can't :/, it's a Cisco 2940.
Thinking about trying to replace the Cisco ASA with a Cisco Router, temporary, and see if this work, I can't do this until Saturday though (don't have the eq. right now), but I would prefer if it was possible to get the ASA to somehow permit this since the ASA is my "real" connection to the internet.

 

(Sorry, I accidentally clicked correct answer)

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Johan Kardell

‎01-15-2015 11:10 AM

Ah ok. ICMP on the ASA can be a PIA especially when traversing interfaces. A couple of other things to check. First do you have "same-security-traffic permit intra-interface" configured? In the logs on the ASA are you getting an error pertaining to IP Redirects or tcp state failure (you will have to try "telnet 172.16.1.10")

Go to solution
Johan Kardell
Level 1
Level 1
In response to Collin Clark

‎01-16-2015 03:53 AM

Ok, :), I enabled "same-security-traffic.." on the ASA, no I can from my client ping the env. on the Lab, but can't do for ex. telnet.

I tried to telnet a loopback on the lab "192.168.1.6" from my client on the real Lan.

From the lab i still can't ping anything on 172.16.30.0/24 network, please see attachment from ASA log - thanks for all your help Collin!

Any ideas :/?

Preview file
351 KB
0 Helpful

Go to solution
Johan Kardell
Level 1
Level 1
In response to Johan Kardell

‎01-17-2015 05:39 AM

Okej! I got i to work :)!!!

I enabled "same-security-traffic permit intra-interface" and followed this guide, this guide did the trick with the telnet as well!

"http://www.matthewjwhite.co.uk/2012/02/13/asymmetric-routing-with-cisco-asa-firewalls/"

Thanks for all the help! - This might not be the optimal solution, but in my case this is what I needed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card