09-19-2016 03:08 PM - edited 03-12-2019 01:17 AM
Hello community, I dont know what else to try in order to troubleshoot this, recently i noticed a lot of messages for ICMP error in our syslog and I dont know how to avoid the errors.
Sep 19 2016 16:53:19 : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.31.200.201 dst outside:8.8.8.8 (type 3, code 3) on inside interface. Original IP payload: udp src 8.8.8.8/53 dst 172.31.200.201/48279.
I'm seeing this from multiples hosts and so far I have tried:
* inspect icmp
* allow icmp on both interfaces (inside and outside)
* allow each icmp type (echo, echo-reply, unreachable, source-quench, time-exceeded) [1]
* permit the firewall to show on traceroutes
Nothing, the errors keep coming :( suggestions?
09-19-2016 09:08 PM
Hello Rolando,
Looking into the syslog, it looks as if the packet was received on inside interface. Ideally this log message should be received on the outside interface.
For your internal lan do you have dns server configured as 8.8.8.8 ?
Ideally if for your local LAN we have dns server as 8.8.8.8 then in that case,
172.31.200.201:12345 --> 8.8.8.8:53 - UDP, this should be the flow. For which an ICMP error message might be send if the server is not listening on that port.
Do we have dns inspection enabled ? Maybe that should help as the actual traffic is DNS traffic.
Regards,
Pulkit
09-19-2016 09:13 PM
Rolando,
I just gave it another thought and yes we can even receive it on inside interface, where the server takes too long to respond for the DNS query, ASA still has the connection open and allows the packet to the client.
However, client has already removed the entry and thus client responds with ICMP type 3 code 3.
Regards,
Pulkit
09-20-2016 09:34 AM
Hi Pulkit! :)
So you think is a timing error? I was wondering the the ASA is limiting ICMP or something... do you have an idea of what I can tweak to stop errors?
Thank you.
09-20-2016 05:24 PM
Rolando,
Since we are receiving it on inside interface, we need to see why the client is even sending such packets. The ASA is not at fault. We can try changing DNS server on few of our local machines to start with, and see if for them the logs stop coming or not.
Regards,
Pulkit
03-09-2020 02:51 AM
We had the same problem and log messages.
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful.
Just in case, some other have the same problem, this might be an alternative solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide