FTD - regular translation creation failed for icmp src type 3, code 3

NA-School · ‎07-26-2024

I am confused, and I have tried to read a lot of this to understand. Please help me understand!

Logs fill with:
%FTD-3-305006: regular translation creation failed for icmp src Inside:x.x.x.x dst Outside:x.x.x.x (type 3, code 3)

I have a manual dynamic nat rule -
inside -> outside source dynamic (network object for all my local IPv4) interface
My interface is set with public ipv4 block.

FTD# show xlate count
1880 in use, 13244 most used

show asp drop

Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 26
Flow is being freed (flow-being-freed) 701
Invalid TCP Length (invalid-tcp-hdr-length) 2
No valid adjacency (no-adjacency) 10703
No route to host (no-route) 27892
Flow is denied by configured rule (acl-drop) 326251
Invalid SPI (np-sp-invalid-spi) 86
First TCP packet not SYN (tcp-not-syn) 89196
TCP failed 3 way handshake (tcp-3whs-failed) 6687
TCP RST/FIN out of order (tcp-rstfin-ooo) 232722
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 499
TCP SYNACK on established conn (tcp-synack-ooo) 193
TCP packet SEQ past window (tcp-seq-past-win) 1883
TCP invalid ACK (tcp-invalid-ack) 108
TCP RST/SYN in window (tcp-rst-syn-in-win) 111
TCP packet failed PAWS test (tcp-paws-fail) 15
Slowpath security checks failed (sp-security-failed) 1408
Snort requested to drop the frame (snort-drop) 5423
Snort instance down not in full proxy (snort-down-not-fp) 1241
FP L2 rule drop (l2_acl) 32
Virtual firewall classification failed (ifc-classify) 1
Interface is down (interface-down) 353
Dropped pending packets in a closed socket (np-socket-closed) 78890
Async lock queue limit exceeded (async-lock-queue-limit) 7260
IKE new SA limit exceeded (ike-sa-rate-limit) 117
NAT failed (nat-xlate-failed) 5
TCP Proxy retransmited packet drop (tcp-proxy-retransmit-drop) 1841
TCP Proxy FP2LW enqueue limit reached (tcp-proxy-fp2lw-enqueue-limit-drop) 726
TCP Proxy probe reset injected (tcp-proxy-probe-rst-injected) 108180
TCP Proxy probe receive drop (tcp-proxy-probe-tcp-probe-drop) 59622
TCP Proxy probe injected packet drop (tcp-proxy-probe-inject-pkt) 1
Server initiated reset to probe drop (tcp-proxy-probe-server-rst) 23
Server initiated FIN to Probe drop (tcp-proxy-probe-server-fin) 1449
Blocked or blacklisted by the firewall preprocessor (firewall) 69383
Blocked or blacklisted by the stream preprocessor (stream) 72090
Blocked or blacklisted by the reputation preprocessor (reputation) 20
Blocked or blacklisted by the IPS preprocessor (ips-preproc) 1
Packet is blacklisted by snort (snort-blacklist) 132149
Packet is blocked as requested by snort (snort-block) 829
Modifies fixed length of data (snort-replace-data-pkt) 4282
Error during reassembling of packets received from snort (pdts-reassembly-err) 2186
Dispatch queue tail drops (dispatch-queue-limit) 1838458

Last clearing: Never

Flow drop:
Need to start IKE negotiation (need-ike) 426
VPN decryption missing (vpn-missing-decrypt) 16
Inspection failure (inspect-fail) 80

Last clearing: Never

My ACLs allow ICMP from inside to outside, I've tried enabling icmp inspect, increasing the timeout to a minute...

FTD# show running-config | i icmp
icmp unreachable rate-limit 50 burst-size 10
icmp permit any Outside
icmp permit any Inside
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:01:00
inspect icmp error
inspect icmp

It is confusing, it APPEARS like this is only happening for mac/linux devices.

TAC suggested just blocking ICMP incoming in the prefilter, and I was like, at least my logs wont be flooded - so I did a prefilter to block any icmp in. ~20 seconds of no translation error, then right back to consistently showing up.

I removed the prefilter rule, and keep reading posts/docs/guides trying to understand.

I tried to create a NAT rule specifically for ICMP, but NAT rules on the FTD managed by FMC, say only TCP/UDP allowed.

I did packet captures at the inside interface, outside interface and learned nothing. I checked my connection events surrounding the ICMP message. The connection events say the message was "allowed". from inside to outside.

I am confused about what this is telling me, https://datatracker.ietf.org/doc/html/rfc792
ICMP type 3, code 3- Destination Unreachable - Port Unreachable

For example:
Let's assume
Internal host 192.168.1.50
External host 50.10.10.10

Internal host goes to coolwebsite, coolwebsite resolves as 50.10.10.10, Internal tries to http get on port 80, but ports closed, so internal host then sends ICMP 3,3 to 50.10.10.10 -

Is this how it is supposed to work?

Any advice on understanding the ICMP type 3, code 3 / understanding translation creation failures / any configuration suggestions or where to look would be greatly appreciated.

FTD 2110 on 7.4.1.1 managed by FMC 1600 on 7.4.1.1

MHM Cisco World · ‎07-26-2024

#show nat pool

Share this please

MHM

NA-School · ‎07-26-2024

> show nat pool
TCP PAT pool Outside, address x.x.x.146, range 1-1023, allocated 0
TCP PAT pool Outside, address x.x.x.146, range 1024-65535, allocated 741
UDP PAT pool Outside, address x.x.x.146, range 1-1023, allocated 1
UDP PAT pool Outside, address x.x.x.146, range 1024-65535, allocated 1066
ICMP PAT pool Outside, address x.x.x.146, range 1-65535, allocated 6
UDP PAT pool Inside, address 172.16.254.254, range 1-1023, allocated 1
UDP PAT pool Inside, address 172.16.254.254, range 1024-65535, allocated 2
TCP PAT pool Inside, address 172.16.254.254, range 1-1023, allocated 1
TCP PAT pool Inside, address 172.16.254.254, range 1024-65535, allocated 0
>

MHM Cisco World · ‎07-28-2024

The pool not exhaust from share show nat pool

For example:
Let's assume
Internal host 192.168.1.50
External host 50.10.10.10

Internal host goes to coolwebsite, coolwebsite resolves as 50.10.10.10, Internal tries to http get on port 80, but ports closed, so internal host then sends ICMP 3,3 to 50.10.10.10 -

Is this how it is supposed to work?

No

The icmp send when there is no port allocate for client' as I see there is no exhaust.

The Mac OS can I know the source and destiantion port ? Did you capture the traffic?

MHM

tvotna · ‎07-29-2024

This is wrong: "The icmp send when there is no port allocate for client' as I see there is no exhaust". Actually the 305006 is sent because ASA/FTD doesn't support PAT for ICMP error messages like ICMP Port Unreachable. This is actually a design bug: CSCvv46474 Implement PAT for ICMP error messages on ASA. There is also a DOC bug: CSCvv55387. Read them, they explain everything pretty well.

In other to understand why exactly you see such messages you need to collect packet captures. Typically, if you see "%FTD-3-305006: regular translation creation failed for icmp src Inside:x.x.x.x dst Outside:y.y.y.y (type 3, code 3)", there was a UDP connection request from Outside:y.y.y.y to Inside:x.x.x.x, but x.x.x.x doesn't listen on the UDP port and hence sends back ICMP Port Unreachable which firewalll fails to PAT. TAC should be able to assist, instead of giving stupid recommendations to block ICMP.

Also, it is possible to block syslog message 305006 or decrease its severity, instead of blocking ICMP altogether.

MHM Cisco World · ‎07-29-2024

the error is for icmp or other traffic ?
this need to check
it can the FTD terminate the traffic on client and send reset but the server dont receive the reset and try connect to host and the xlate is remove the hence the icmp send from FTD to server
so capture and show conn <ip appear in log> show xlate
to see what type of traffic this