10-21-2011 05:39 AM
Hi!
After upgrade from to ASA 8.4(2)8 we get alot of messages like this in the ASDM-log:
Deny inbound icmp src inside:<ip from router on inside> dst inside:<ip of AnyConnect client> (type 3, code 13)
The setup looks roughly like this:
Local LANs <--> Filtering Router Inside <--> ASA <--> Filtering Router Outside<--> Internet
Before the upgrade from version 8.3(2)4 to version 8.4(2)8 we have not seen this log entries. No configuration
has changed, and we have no user-complaints after the upgrade.
We get rid of the messages when enabling same-security-traffic permit inter-interface, but we'd rather not do that.
What can be the cause of these logentries?
Best regards,
Fredrik
10-22-2011 05:19 AM
Looks like router is dropping something AC is sending. Most likely not user-initiated traffic.
For reference:
http://en.wikipedia.org/wiki/ICMP_Destination_Unreachable
Do you have "inspect icmp error" enabled on the ASA?
I would sniff that traffic and check what is being dropped.
10-28-2011 01:22 AM
Yes, your probably right. The thing is that we have not done any changes to either the router-config or anyconnect version. we just upgraded the asabox to 8.4.
inspect icmp error is enabled on the asa.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide