Solved: Re: ICMP Unreachable messages on ASA?

CiscoPurpleBelt · ‎09-26-2019

Does ASA continue to try and send icmp messages to hosts that have been removed from configurations such as let's say Netflow exporter IP was removed or changed? Anyway to stop ASA from sending certain ICMP messages to certain destinatinos?

Marvin Rhoads · ‎09-26-2019

An ASA doesn't spontaneously send icmp unreachable messages.

If a host sends a traceroute and the ASA is one of the hops in the routing path, an icmp unreachable may be returned if "decrement-ttl" is set on the ASA service policy (it is not by default).

View solution in original post

Marvin Rhoads · ‎09-26-2019

That's correct.

It's not the only possibility but it would be by far the most common cause.

View solution in original post

Marvin Rhoads · ‎09-26-2019

An ASA doesn't spontaneously send icmp unreachable messages.

If a host sends a traceroute and the ASA is one of the hops in the routing path, an icmp unreachable may be returned if "decrement-ttl" is set on the ASA service policy (it is not by default).

CiscoPurpleBelt · ‎09-26-2019

Ok I see great thanks. So basically if I am seeing icmp messages for somethign that is not configured on the ASA, its from a host sending traffic to another host and this traffic must pass throught the ASA correct?

Marvin Rhoads · ‎09-26-2019

That's correct.

It's not the only possibility but it would be by far the most common cause.