08-24-2008 12:38 PM - edited 03-11-2019 06:35 AM
Currntly receiving this sys log message on an intermittent basis. Needs some help as to what it means.
08-24-2008 02:14 PM
313005
Error Message %PIX|ASA-4-313005: No matching connection for ICMP error message: icmp_msg_info on interface_name interface. Original IP payload: embedded_frame_info icmp_msg_info = icmp src src_interface_name:src_address dst dest_interface_name:dest_address (type icmp_type, code icmp_code) embedded_frame_info = prot src source_address/source_port dst dest_address/dest_port
Explanation ICMP error packets were dropped by the security appliance because the ICMP error messages are not related to any session already established in the security appliance.
Recommended Action If the cause is an attack, you can deny the host by using ACLs.
Do you have icmp inspection turned on in your policy-map?
08-24-2008 05:53 PM
No I don't. I am a little concerned about this particular sys log id.
08-24-2008 11:53 PM
If you don't have icmp inspect enabled then icmp is not stateful, and no icmp will pass through the firewall...
08-25-2008 07:01 AM
I don't want to enable it because I don't want ICMP to pass through the firewall, i.e. I don't want anyone to be able to ping or traceroute the firewall, at all. Is this sys log ID something that I should be worried about?
08-28-2008 12:16 PM
Hi Chad,
If you don't want ICMP to be passing through the firewall, then no you don't have worry about these messages. They are simply indicating that the firewall is doing its job correctly.
As the syslog documentation says, you can block ICMP on your inbound ACLs and this will prevent the firewall from processing the packets and generating these messages (though you may then see messages indicating the traffic was dropped to an ACL rule depending on your logging level).
Hope that helps.
-Mike
08-29-2008 12:48 PM
Thank you for your response. How do I get rid of this message?
Thanks
08-29-2008 12:58 PM
Hi Chad,
You can use the 'no logging message 313005' command to stop the firewall from generating these messages.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide