cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
0
Helpful
4
Replies

CSCui77398 - ICMP Inspection close valid connection

a12288
Level 3
Level 3

Hi, there.

We have an pair of  ASA5585-40 HA running 9.1(3), due to this bug CSCui77398, we noticed from the ASA syslog messages that there are valid connection being closed by ICMP Inspection, we do have ICMP inspection enabled since there are quite a few applications depends on successful PING to work properly.

Just wondering has any one run into this bug? and which version has this successfully addressed? I do have TAC case opened, but TAC is unable to confirm which release has this bug addressed.

The ASA syslog will display something like :".......Flow closed by inspection", also "show service-policy | in icmp" in my case has the following output.

      Inspect: icmp, packet 1302002238, lock fail 0, drop 2119758, reset-drop 0, v6-fail-close 0

 

 

Leo Song

4 Replies 4

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

This defect should be fixed on your current OS 9.1.3.

If you are still getting the traffic drop , try to verify the drops with the syslog.

Thanks and Regards,

Vibhor Amrodia

According to Cisco bug report here, this bug should have been addressed in 9.1(3), however, we are running 9.1(3) and can confirm this bug is not addressed by 1) "show service-policy | in icmp" and 2) ASA syslogs.

 

I opened a TAC case and engineer suggests me to upgrade to 9.1(4) simply this bug "should be fixed". I went through the release of 9.2 and 9.3, neither of them mention this bug either still being or has been fixed. That's why I am asking community to help.

 

Leo 

Hi,

I can verify that this defect is fixed on the ASA 9.1.3 code.

Are you seeing the Syslogs and intermittent TCP connection drops on the ASA device ?

Also , do they go away if you disable the ICMP inspection ?

Thanks and Regards,

Vibhor Amrodia

Here are the facts:

  • 2015-FEB-24:  Inspect: icmp, packet 1302002238, lock fail 0, drop 2119758, reset-drop 0, v6-fail-close 0
    2015-MAR-02: Inspect: icmp, packet 1324726483, lock fail 0, drop 2139388, reset-drop 0, v6-fail-close 0
     
  • ASA syslog messages still shows Mar  2 09:04:06 xxx Mar: 02 2015 09:04:06 xxx : %ASA-6-302014: Tear
    down TCP connection 1637623699 for outside:xxx to vlanxxx:xxx duration 4:02:45 bytes 14376 Flow closed by inspection
  • We cannot disable ICMP inspection, due to this 2 reasons 1) Not secure 2) Disabling ICMP inspection will block ICMP Echo Rely returning traffics - due to the large number of vlans in our ASA, manually update ACL to explicitly allow ICMP Echo Reply is not practical.

All of the above facts make me believe this bug has not been addresses in 9.1(3).

 

If, it has been fully addressed like you and my TAC case engineer suggested, could it be the case that I hit something else?

 

Also, would you recommend upgrade to 9.2 or 9.3?

 

Leo

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: