cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

356
Views
0
Helpful
3
Replies
Adrian Jones
Beginner

No Matching connection for ICMP

Hi All,

 

    Apologies as this has been mentioned numerous times before but can anyone point me to a specific resolution for this issue we have?

 

  Our web proxies are connecting to OpenDNS on UDP 53 and our firewalls are configured to let this traffic through.

 

Our log servers are getting filled with the following (names and key ips changed):

 

2015-10-27 11:29:22  Local6.Warning    "Ip Address" Oct 27 2015 11:29:33 "Firewall": %ASA-4-313500: No matching connection for ICMP error message: icmp src: "interface" 1.1.1.1 dst outside:208.67.220.220 (type 3, code 3) on "interface" interface. original IP payload: udp src 208.67.220.220/53 dst 1.1.1.1/43222

Same for alternate OpenDNS IP 208.67.222.222

 

These are about 95% of the log errors I have on the path.

 

We have inspect icmp error enabled and I have added a rule to permit ICMP unreachables but this does not stop this error logging.

 

Any advice will be priceless.

 

Thanks in advance

 

Adrian

3 REPLIES 3
Marius Gunnerud
VIP Advisor

Have you allowed ICMP unreachable in the relevant interface ACLs and not just added the inspect icmp command?

--

Please remember to select a correct answer and rate helpful posts
 

--
Please remember to select a correct answer and rate helpful posts

Yes, I added the rule for permit icmp any any unreachable for the interface concerned. I get a helathy count on this rule but I still see the above being reported.

 

We always use an permit icmp any any in the access-list on each interface anyway.

 

rodrigog
Beginner

Hello Adrian

Please refer to the next guide

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#err

Regards,

Rodrigo