Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
3
Replies

No Matching connection for ICMP

Adrian Jones
Level 1
Level 1

‎10-27-2015 04:46 AM - edited ‎03-11-2019 11:47 PM

Hi All,

 

    Apologies as this has been mentioned numerous times before but can anyone point me to a specific resolution for this issue we have?

 

  Our web proxies are connecting to OpenDNS on UDP 53 and our firewalls are configured to let this traffic through.

 

Our log servers are getting filled with the following (names and key ips changed):

 

2015-10-27 11:29:22  Local6.Warning    "Ip Address" Oct 27 2015 11:29:33 "Firewall": %ASA-4-313500: No matching connection for ICMP error message: icmp src: "interface" 1.1.1.1 dst outside:208.67.220.220 (type 3, code 3) on "interface" interface. original IP payload: udp src 208.67.220.220/53 dst 1.1.1.1/43222

Same for alternate OpenDNS IP 208.67.222.222

 

These are about 95% of the log errors I have on the path.

 

We have inspect icmp error enabled and I have added a rule to permit ICMP unreachables but this does not stop this error logging.

 

Any advice will be priceless.

 

Thanks in advance

 

Adrian

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎10-27-2015 05:29 AM

Have you allowed ICMP unreachable in the relevant interface ACLs and not just added the inspect icmp command?

--

Please remember to select a correct answer and rate helpful posts
 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Adrian Jones
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2015 06:01 AM

Yes, I added the rule for permit icmp any any unreachable for the interface concerned. I get a helathy count on this rule but I still see the above being reported.

 

We always use an permit icmp any any in the access-list on each interface anyway.

 

0 Helpful

rodrigog
Level 1
Level 1

‎10-27-2015 05:06 PM

Hello Adrian

Please refer to the next guide

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#err

Regards,

Rodrigo 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card