Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3003
Views
0
Helpful
5
Replies

No matching connection for ICMP

Rolando Valenzuela
Level 4
Level 4

‎09-19-2016 03:08 PM - edited ‎03-12-2019 01:17 AM

Hello community, I dont know what else to try in order to troubleshoot this, recently i noticed a lot of messages for ICMP error in our syslog and I dont know how to avoid the errors.

Sep 19 2016 16:53:19  : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.31.200.201 dst outside:8.8.8.8 (type 3, code 3) on inside interface.  Original IP payload: udp src 8.8.8.8/53 dst 172.31.200.201/48279.

I'm seeing this from multiples hosts and so far I have tried:

* inspect icmp

* allow icmp on both interfaces (inside and outside)

* allow each icmp type (echo, echo-reply, unreachable, source-quench, time-exceeded) [1]

* permit the firewall to show on traceroutes

Nothing, the errors keep coming :( suggestions?

Labels:
0 Helpful
5 Replies 5

Pulkit Saxena
Cisco Employee
Cisco Employee

‎09-19-2016 09:08 PM

Hello Rolando,

Looking into the syslog, it looks as if the packet was received on inside interface. Ideally this log message should be received on the outside interface.

For your internal lan do you have dns server configured as 8.8.8.8 ?

Ideally if for your local LAN we have dns server as 8.8.8.8 then in that case, 

172.31.200.201:12345 --> 8.8.8.8:53 - UDP,  this should be the flow. For which an ICMP error message might be send if the server is not listening on that port.

Do we have dns inspection enabled ? Maybe that should help as the actual traffic is DNS traffic.

Regards,

Pulkit 

0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee
In response to Pulkit Saxena

‎09-19-2016 09:13 PM

Rolando,

I just gave it another thought and yes we can even receive it on inside interface, where the server takes too long to respond for the DNS query, ASA still has the connection open and allows the packet to the client.

However, client has already removed the entry and thus client responds with ICMP type 3 code 3.

Regards,

Pulkit

0 Helpful

Rolando Valenzuela
Level 4
Level 4
In response to Pulkit Saxena

‎09-20-2016 09:34 AM

Hi Pulkit! :)
So you think is a timing error? I was wondering the the ASA is limiting ICMP or something... do you have an idea of what I can tweak to stop errors?

Thank you.

0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee
In response to Rolando Valenzuela

‎09-20-2016 05:24 PM

Rolando,

Since we are receiving it on inside interface, we need to see why the client is even sending such packets. The ASA is not at fault. We can try changing DNS server on few of our local machines to start with, and see if for them the logs stop coming or not.

Regards,

Pulkit

0 Helpful

Kevin_W
Level 1
Level 1

‎03-09-2020 02:51 AM

We had the same problem and log messages. 
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful. 


Just in case, some other have the same problem, this might be an alternative solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card