Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3878
Views
0
Helpful
2
Replies

Deny inbound icmp (type 3, code 13) after upgrade to ASA 8.4

fredrik.lundqvist
Level 1
Level 1

‎10-21-2011 05:39 AM

Hi!

After upgrade from to ASA 8.4(2)8 we get alot of messages like this in the ASDM-log:

Deny inbound icmp src inside:<ip from router on inside> dst inside:<ip of AnyConnect client> (type 3, code 13)

The setup looks roughly like this:

Local LANs <--> Filtering Router Inside <--> ASA <--> Filtering Router Outside<--> Internet

Before the upgrade from version 8.3(2)4 to version 8.4(2)8 we have not seen this log entries. No configuration

has changed, and we have no user-complaints after the upgrade.

We get rid of the messages when enabling same-security-traffic permit inter-interface, but we'd rather not do that.

What can be the cause of these logentries?

Best regards,

Fredrik

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-22-2011 05:19 AM

Looks like router is dropping something AC is sending. Most likely not user-initiated traffic.

For reference:

http://en.wikipedia.org/wiki/ICMP_Destination_Unreachable

Do you have "inspect icmp error" enabled on the ASA?

I would sniff that traffic and check what is being dropped.

0 Helpful

fredrik.lundqvist
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-28-2011 01:22 AM

Yes, your probably right. The thing is that we have not done any changes to either the router-config or anyconnect version. we just upgraded the asabox to 8.4.

inspect icmp error is enabled on the asa.

0 Helpful
Customers Also Viewed These Support Documents