%ASA-4-313005: No matching connection for ICMP error message:

Unanswered Question
Feb 2nd, 2010

Hi all,

i'd like to understand what this message means:

Feb 02 2010 16:30:14 PROD : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside: dst vlan_inside: (type 3, code 3) on outside interface.  Original IP payload: udp src dst

I've got a ASA and behind some DNS. Often i see message below and i cannot understand why.

may anyone can help me?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Tue, 02/02/2010 - 07:48

Hello Das

Have you allowed ICMP between the zones ? This just shows that ICMP is dropped between the IP addresses specified.. this is just a warning message .. the session may not be established, but need to have a look on the sourcen and destination IPs given in the error.. do you see the source/destination on your network ? Are you getting too many of these, or just once in a while ?


sachinraja Tue, 02/02/2010 - 08:15

Hi Das

Its good to have ICMP disabled from outside... you should not have it open unless it is highly essential.. even if it is, its better to disable.. what are the ip addresses shown in the log message ? Is it anything related to your network ? Do you have IPS or CSMARs on your network ? These devices can actually inspect packets on application layer and see if there are any vulnerabilities or attacks on the packets entering your network...



John Peterson Wed, 06/13/2012 - 13:19


I am also having this message on our ASA, we have no idea of the IP address which is trying to connect.

Is there a Cisco refernce to these syslog outpus?

m.sohnius Thu, 03/13/2014 - 12:38


This is a 4-year old question, yet it comes up top of a relevant Google search, so it might be worth trying to answer:

Search for "%ASA-4-313005" on this page,


to see what Cisco has to say about it (admittedly for a PIX, but the dame applies to ASA's). 

For the background as to what may be happening look here:


On the whole, it's actually a bad idea categorically to deny incoming ICMP messages; echo-reply should certainly be allowed (so that people can ping) but some other ICMP's, including most "unreachable" messages, should also be allowed, particularly if you user community is technical and wants to do things like traceroutes.  Also, maximum-MSS negotiation - crucial for proper functioning of TCP - relies on "ICMP unreachable" control messages.

So, follow Cisco's advice and block the attacking address.  That is a good way to get rid of the log messages without actually disabling message type 313005 altogether.  The traffic itself is blocked anyway - that's what the firewall already did for you, and why it wrote a log message!


Vern Brinkman Wed, 07/01/2015 - 13:12

I am seeing this too.

So it goes out as ICMP and returns UDP?????

udp src 2.2.2..................

icmp src outside:...............


Is this why the ASA can't find a match?



This Discussion