Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27246
Views
0
Helpful
25
Replies

Deny inbound ICMP

Go to solution
dianewalker
Level 1
Level 1

‎02-17-2011 09:43 AM

We have ASA 5540, running IOS 8.2.(4).  For some reason, I kept getting email notification about this message  "<155>Feb 17 2011 04:59:16: %ASA-3-106014: Deny inbound icmp src Outside:74.125.24.179 dst Inside:74.125.20.1 (type 3, code 1)".  Sometimes, I get this email notification 3 times within 1 minute interval.  Do you have any suggestions what caused this type of error message and how to fix it?  No one was logging in to Cisco VPN client when this error occurred.

Thanks.

Diane

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dianewalker

‎02-19-2011 04:16 PM

Ok, analizing the original message:

ICMP type 3, code 1 is Host Unreachable.

So, a remote router will normally reply with ICMP Type 3 code 1 when you
send a packet attempting to connect to a host that does not exist, or
exists but is turned off/disconnected. You need to review your outbound traffic, and find what host is sending
the original traffic to an unreachable host.

Most likely this is a response to an outbound packet (getting translated to the outside IP of the ASA).

Federico.

View solution in original post

0 Helpful
25 Replies 25

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-17-2011 09:49 AM

Diane,

Sounds like 74.125.24.179 from the outside world is sending ICMP to 74.125.20.1 (which should be a static NAT IP for an internal device)?

Are those valid IPs?

If so, what is your ICMP policy?


Federico.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-17-2011 10:16 AM

Thanks for your prompt response, Federico.

Sorry, those IP addresses are not real.  I just now realized that the source address was my gateway.

<155>Feb 17 2011 08:07:49: %ASA-3-106014: Deny inbound icmp src Outside:default gateway IP address dst Inside:IP address of outside interface of ASA (type 3, code 1)

Do you have any suggestions?  Thanks.

Diane

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dianewalker

‎02-17-2011 10:37 AM

Diane,

The ASA denied any inbound ICMP packet access. By default,  all ICMP packets are denied access unless specifically allowed.

So, unless you have a rule to allow inbound ICMP packets, they are dropped.

Now, why is your default gateway sending ICMP packets to the outside IP of the ASA continually?

Federico.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-17-2011 11:27 AM

Federico,

Thanks for your prompt response, again.  I have these statements in my config.  Could any of these statements cause the email notification?

access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

inspect icmp

Thanks.

Diane

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dianewalker

‎02-17-2011 11:30 AM

Diane,

You need to check for the ACL applied to the outside interface:

sh run access-group

to see which is the ACL and then

sh run access-list

will show the statements in that ACL.

If ICMP is not being permitted then it's denied implicitly.

In theory, ACLs look for thru-the-box traffic.

The icmp command by itself looks at-the-box traffic.

Please post the output of:

sh run access-group

sh run access-list NAME --> change name for the ACL applied to the outside interface

sh run icmp

Federico.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-17-2011 12:36 PM

Here are the results:

sh run access-group

nothing is displayed

sh run access-list NAME --> change name for the ACL applied to the outside interface

I typed show run access-list.  Here are the results:

access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any
access-list nonat extended permit ip 216.132.250.0 255.255.255.0 172.27.80.0 255.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.27.80.0 255.255.255.0
access-list split standard permit 216.132.250.0 255.255.255.0
access-list accounting standard permit host 216.132.250.10

sh run icmp

icmp unreachable rate-limit 1 burst-size 1

Please let me know if you need anything else.

Thanks.

Diane

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dianewalker

‎02-17-2011 01:05 PM

Diane,

The fact that you get:

sh run access-group

nothing is displayed

Means that there's no ACL applied to the outside interface.

This means that ICMP is not allowed to enter the ASA (no ICMP packets coming from the outside in an inbound direction are going to be allowed).

To resolve this we need to answer the following:

1. Why is the default gateway sending PINGs to the outside IP of the ASA on a regular basis?

2. Do you want to permit or deny these packets (right now they are denied and that's why you see those logs).

Federico.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-17-2011 01:41 PM

1.  I do not know why default gateway keeps sending PINGs on a regular basis.  Right now, I just got two email notifications again.  They are the same email notification messages and they are sent at the same time.

2.  I want to deny those packets.

So, you are telling me that I got the email notifications because I deny PING and someone is pinging my outside interface of the ASA..  Therefore, the log file is sending me the email notification.

Thanks.

Diane

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dianewalker

‎02-17-2011 02:47 PM

Diane,

That's what it looks like.

If you want a test you can permit ICMP to that IP and see if the log messages stop.

But if you want to deny those packets and not receive the logs, you can stop that specific log message from being sent to you.

Federico.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-17-2011 05:33 PM

I want to test to see if the log messages would stop.  How do I permit ICMP?

Thanks.

Diane

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dianewalker

‎02-18-2011 05:59 AM

Since you don't have an ACL applied to the outside interface you can do:

access-list 109 permit icmp host 74.125.24.179 host 74.125.20.1
access-group 109 in interface outside control-plane  <-- you might need this keyword

With the above PINGs from source to destination should work and the logs should stop.

Federico.

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-18-2011 08:18 AM

Thanks Federico.  I just put those two statements.  I will wait to see if the email notification will stop.

Thanks.

Diane

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to dianewalker

‎02-18-2011 08:51 AM

Federico,

I just got 3 email notifications again.  They are the duplicate email notifications and are sent at the same time.

Thanks.

Diane

0 Helpful

Go to solution
dianewalker
Level 1
Level 1
In response to dianewalker

‎02-18-2011 09:51 AM

Federico,

You know what?  I just noticed that I get the email notifications every hour.  Sometimes, I got two duplicate email notifications at the same time.  Other time, I got 3 duplicate email notifications.  I just now got 4 duplicate email notifications.  Perhaps, there is a setting that said to send email notifications every hour.

Thanks.

Diane

0 Helpful
Customers Also Viewed These Support Documents