cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
30
Helpful
3
Replies

ICMP Unreachable messages on ASA?

CiscoPurpleBelt
Frequent Contributor
Frequent Contributor

Does ASA continue to try and send icmp messages to hosts that have been removed from configurations such as let's say Netflow exporter IP was removed or changed? Anyway to stop ASA from sending certain ICMP messages to certain destinatinos?

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

An ASA doesn't spontaneously send icmp unreachable messages.

If a host sends a traceroute and the ASA is one of the hops in the routing path, an icmp unreachable may be returned if "decrement-ttl" is set on the ASA service policy (it is not by default).

View solution in original post

That's correct.

It's not the only possibility but it would be by far the most common cause.

View solution in original post

3 Replies 3

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

An ASA doesn't spontaneously send icmp unreachable messages.

If a host sends a traceroute and the ASA is one of the hops in the routing path, an icmp unreachable may be returned if "decrement-ttl" is set on the ASA service policy (it is not by default).

Ok I see great thanks. So basically if I am seeing icmp messages for somethign that is not configured on the ASA, its from a host sending traffic to another host and this traffic must pass throught the ASA correct?

That's correct.

It's not the only possibility but it would be by far the most common cause.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers