10-27-2015 04:46 AM - edited 03-11-2019 11:47 PM
Hi All,
Apologies as this has been mentioned numerous times before but can anyone point me to a specific resolution for this issue we have?
Our web proxies are connecting to OpenDNS on UDP 53 and our firewalls are configured to let this traffic through.
Our log servers are getting filled with the following (names and key ips changed):
2015-10-27 11:29:22 Local6.Warning "Ip Address" Oct 27 2015 11:29:33 "Firewall": %ASA-4-313500: No matching connection for ICMP error message: icmp src: "interface" 1.1.1.1 dst outside:208.67.220.220 (type 3, code 3) on "interface" interface. original IP payload: udp src 208.67.220.220/53 dst 1.1.1.1/43222
Same for alternate OpenDNS IP 208.67.222.222
These are about 95% of the log errors I have on the path.
We have inspect icmp error enabled and I have added a rule to permit ICMP unreachables but this does not stop this error logging.
Any advice will be priceless.
Thanks in advance
Adrian
10-27-2015 05:29 AM
Have you allowed ICMP unreachable in the relevant interface ACLs and not just added the inspect icmp command?
--
Please remember to select a correct answer and rate helpful posts
10-27-2015 06:01 AM
Yes, I added the rule for permit icmp any any unreachable for the interface concerned. I get a helathy count on this rule but I still see the above being reported.
We always use an permit icmp any any in the access-list on each interface anyway.
10-27-2015 05:06 PM
Hello Adrian
Please refer to the next guide
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html#err
Regards,
Rodrigo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide