09-01-2014 06:12 AM - edited 03-12-2019 06:07 PM
I'm seeing this on our cisco pix 515e firewall log quite often:
Sep 1 13:42:52 192.168.120.248 %PIX-4-313005: No matching connection for ICMP error message: icmp src guest:192.168.0.10 dst outside:8.8.8.8 (type 3, code 3) on guest interface. Original IP payload: udp src 8.8.8.8/53 dst 192.168.0.10/52456.
on the firewall we have this set: ip address 192.168.0.248 255.255.255.0
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any echo
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any echo-reply
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp
mtu guest 1500
on a layer 3 switch we have this set:
ip dhcp pool guest_wifi_pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.248
dns-server 8.8.8.8 8.8.4.4
interface Vlan2
ip address 192.168.0.1 255.255.255.0
then we have unifi access points in this switch. so far the source ips in the error message seem to be iphones!
Solved! Go to Solution.
09-03-2014 05:03 AM
Hi,
Any reason why your IP phone initiates the traffic for 8.8.8.8 ? can you check on the settings of ip phone and make sure it is as per your requirement....
Type 3 – Destination Unreachable
Code 3 - Destination port unreachable
for dns to work..... you need to allow domain in access-list.
access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.8.8 eq domain
access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.4.4 eq domain
also you need to allow the echo-reply for this on inbound acl (outside) interface.
any to 192.168.0.0 - echo-reply
09-01-2014 01:46 PM
Hi parisvcisco
It looks like the device who have assigned the IP 192.168.0.10 is trying to use the DNS server (53) of the IP 8.8.8.8 and the ASA captures the destination is unreachable (Type 3 ) and the port requested is unreachable (code 3).
It might be an application on the device or that the ASA could be dropping the request for security reasons.
I would suggest you to place a capture on the inside and verify this a DNS request and see which application might be causing this behavior.
Hope this helps !
- Randy -
09-01-2014 08:39 PM
Yes on the switch I have set the DNS server to be 8.8.8.8 and 8.8.4.4 for that vlan. Do I need to do something on the firewall to allow this?
09-02-2014 09:10 AM
Hi ,
And the DNS service works fine ?
It looks like the ASA is not able to reach the DNS sometimes , can you check if the ASA is dropping the service.
I suggest you to place an ASP capture,
Example :
Capture drop interface inside type asp-drop all
Wait a couple of seconds or start manually the DNS service (request)
And check the capture : Show capture drop | incl 53
Also check on the service policy if the DNS has the inspection enable.
Hope this help
Please rate helpful post !
- Randy -
09-03-2014 12:56 AM
I don't have type available......
# capture drop interface inside ?
access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is
non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP
headers-only Capture only L2, L3 and L4 headers of packet without data in
them
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default
is 68 bytes
real-time Display captured packets in real-time. Warning: using this
option with a slow console connection may result in an
excessive amount of non-displayed packets due to performance
limitations.
trace Trace the captured packets
fyi this is a cisco pix 515e so pretty old!
09-03-2014 01:30 AM
I was able to run this:
capture asp type asp-drop all
# show capture asp | inc 8.8.8.8
327: 09:00:10.672618 802.1Q vlan#2 P0 192.168.0.25 > 8.8.8.8: icmp: 192.168.0.25 udp port 52444 unreachable
We have icmp permit any outside but would icmp permit any guest work/help?
09-03-2014 05:03 AM
Hi,
Any reason why your IP phone initiates the traffic for 8.8.8.8 ? can you check on the settings of ip phone and make sure it is as per your requirement....
Type 3 – Destination Unreachable
Code 3 - Destination port unreachable
for dns to work..... you need to allow domain in access-list.
access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.8.8 eq domain
access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.4.4 eq domain
also you need to allow the echo-reply for this on inbound acl (outside) interface.
any to 192.168.0.0 - echo-reply
09-03-2014 05:07 AM
not ip phones just iphones!
so vlan 2 is for the guest wifi and I want them to use Google's dns servers for DNS.
so on the switch that's doing the routing I have set:
ip dhcp pool guest_wifi_pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.248
dns-server 8.8.8.8 8.8.4.4
Do I still need to do the steps have you have posted?
09-03-2014 05:25 AM
Hi,
Yes.... on your guest connected interface you need to allow dns (domain) udp - 53 from guest lan to 8.8.8.8 / 8.8.4.4.
And if you want to allow icmp access to those dns servers for checking or testing then you need to allow echo on guest connected interface acl and echo-reply on outside interface acl...
Regards
Karthik
09-03-2014 05:49 AM
at the moment i have
access-group guest-out in interface guest
do i need to do
access-group guest-in in interface guest
then
access-group guest-in any to 192.168.0.0 - echo-reply
09-03-2014 06:09 AM
nope....
Please send me your configuration file.... hide out the sensitive information and send me to this post or to the private message... i will suggest you on that..
Regards
Karthik
03-09-2020 02:51 AM
We had the same problem and log messages.
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful.
Just in case, some other have the same problem, this might be an alternative solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide