cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1681
Views
0
Helpful
14
Replies

icmp denny in syslog on the firewall

cciesec2011
Level 3
Level 3

access-list external extended permit icmp any any log
access-list external extended permit udp host 216.211.119.10 host 170.198.64.129 eq isakmp log
access-list external extended permit udp host 216.211.119.10 host 170.198.64.129 eq 4500 log
access-list external extended permit esp host 216.211.119.10 host 170.198.64.129 log
access-list external extended permit ip host 216.211.119.10 host 170.198.64.129 log
access-list external extended permit tcp host 216.211.119.254 host 170.198.64.97 eq smtp log
access-list external extended permit tcp host 216.211.119.254 170.198.64.96 255.255.255.224 eq smtp log
access-list external extended deny ip host 216.211.119.254 170.198.64.96 255.255.255.224 log
access-list external extended permit ip any any log

access-list Firewall extended permit udp host 216.211.119.10 host 170.198.64.129 eq isakmp log
access-list Firewall extended permit udp host 216.211.119.10 host 170.198.64.129 eq 4500 log
access-list Firewall extended permit esp host 216.211.119.10 host 170.198.64.129 log
access-list Firewall extended permit ip host 216.211.119.10 host 170.198.64.129 log
access-list Firewall extended deny udp any any eq isakmp log
access-list Firewall extended deny udp any any eq 4500 log
access-list Firewall extended deny esp any any log
access-list Firewall extended permit icmp any any log
access-list Firewall extended permit ip any any log

access-group Firewall in interface external control-plane
access-group external in interface external

URPF is NOT enable.  This ASA is running version 8.2(1).  There is only two interfaces, internal and external.
"no nat-control" is enable.

For the past couple of days, I am seeing this syslog message on my syslog server:

Jul 23 17:39:01 ASA-VPN Jul 23 2010 21:39:01: %ASA-3-313001: Denied ICMP type=4, code=0 from 195.97.148.89 on interface external

Why am I seeing this message when ICMP is allowed THROUGH and TO the firewall itself?

Anyone know why?

14 Replies 14

Jitendriya Athavale
Cisco Employee
Cisco Employee

this is a type 4 code 0 which is a source quench

from wiki:

The Source Quench is an Internet Control Message Protocol message which requests the sender to decrease the traffic rate of  messages to a router or host. This message may be generated if the  router or host does not have sufficient buffer space to process the  request, or may occur if the router or host's buffer is approaching its  limit.

now what we need to see is why the firewall is dropping this type of packet

one quick question here

the deny's that you have been seeing in the last few days are they of the same type and code

also do you recognise the public ip mentioned in the log (any vpn peer or something like that)

having said that this is a old method and is not used anymore

i would assume this to be an attack


probably your firewall is dropping it thinking it as a attack

do you have any ips module on this firewall or do you have threat detection configured

"the deny's that you have been seeing in the last few days are they of the same type and code"

Yes.

"also do you recognise the public ip mentioned in the log (any vpn peer or something like that)"

Yes.  That IP address is my Solarwind Network Performance Monitor Server.  It collects data of the ASA via SNMP.

Why is the ASA denying ICMP from my Network Management System (NMS)?  The larger point is why it is doing that

when I have "permit ip any any log" in the ACL

"do you have any ips module on this firewall or do you have threat detection configured"

No.  I do not have IPS module on the ASA so threat detection is not configured.

Any other suggestions?

ASA-VPN> sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

ASA-VPN up 91 days 0 hours
failover cluster up 91 days 0 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0026.cbb0.deea, irq 9
1: Ext: Ethernet0/1         : address is 0026.cbb0.deeb, irq 9
2: Ext: Ethernet0/2         : address is 0026.cbb0.deec, irq 9
3: Ext: Ethernet0/3         : address is 0026.cbb0.deed, irq 9
4: Ext: Management0/0       : address is 0026.cbb0.dee9, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 250
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5510 Security Plus license.

Serial Number: XXXXXX
Running Activation Key: XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
ASA-VPN>

do you see the drops even when you try to ping the outside ip of firewall from the snmp server

i have a strong feeling that it is only deny type 4 code 0 messages

I am not seeing any drop when I ping the firewall outside interface from this Network Management System.

The question is why it is doing this?  "permit icmp any any" and "permit ip any any" should be enough to allow this traffic, including icmp type 4 code 0, to hit the external interface of the firewall right?  Why am I seeing this deny message?

i understand, i have read your config and i can see you are permitting icmp

it should not be denying it

but i am interested in looking is if its only this type of icmp that it is dropping or is it dropping any icmp traffic randomly

as i said before according to rfc no device is supposed to send such icmp messages, so probably it thinks it is a attack

can you post the following output

show run icmp

or

show run | in icmp

also show threat-detection statistics

ASA-VPN# sh run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 216.211.64.129 external

icmp permit host 216.211.64.130 external

icmp permit host 216.211.64.140 external

icmp permit host 216.211.64.141 external

icmp permit host 216.211.64.142 external

icmp permit 216.211.148.128 255.255.255.128 external

icmp permit host 216.211.155.205 external

icmp permit host 216.211.250.16 external

icmp permit host 171.214.219.10 external

icmp permit 195.97.148.0 255.255.255.0 external

icmp permit host 216.211.156.6 external

ASA-VPN#

ASA-VPN# show threat-detection statistics

Top          Name   Id    Average(eps)    Current(eps) Trigger      Total events

  1-hour ACL hits:

01  external/9                       0               0       0               180

02  internal/2                       0               0       0               148

03  internal/6                       0               0       0               145

04  external/1                       0               0       0               140

05  Firewall/9                       0               0       0                 1

  8-hour ACL hits:

01  internal/6                       0               0       0              1924

02  external/9                       0               0       0              1423

03  internal/2                       0               0       0              1269

04  external/1                       0               0       0              1166

05  Firewall/9                       0               0       0                 2

24-hour ACL hits:

01  internal/6                       0               0       0              5344

02  external/9                       0               0       0              3928

03  internal/2                       0               0       0              3753

04  external/1                       0               0       0              3472

05  Firewall/9                       0               0       0                 9

06  internal/3                       0               0       0                 2

07  Firewall/3                       0               0       0                 1

08  external/6                       0               0       0                 1

ASA-VPN#

Can you grab a "show run policy-map", "show run service-policy" and "show service-policy"

ASA-VPN# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
ASA-VPN#
ASA-VPN# sh run service-policy
service-policy global_policy global
ASA-VPN#
ASA-VPN# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 241304, drop 60, reset-drop 0
      Inspect: ftp, packet 1555, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 24, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 24, drop 0, reset-drop 0
      Inspect: rtsp, packet 24, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 24, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 2716, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 24, drop 12, reset-drop 0
      Inspect: sip , packet 12, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 3859, drop 0, reset-drop 0
      Inspect: tftp, packet 24, drop 12, reset-drop 0
ASA-VPN#

Just to make sure it's not something super simple can you try adding

policy-map global_policy
class inspection_default
  inspect icmp

"policy-map global_policy
class inspection_default
  inspect icmp"

Why do I need to do this?  "permit icmp any any" & "permit ip any any" will do the same trick right?

Yes it should do the same thing. I just wanted to see if for some odd reason the results were any different.

My theory is that the ASA just doesn't know what to do with source quench once it receives it. Can you tell us what the 195.97.148.89 address is?

Looking at the wikipedia article about the Source Quench I see that the source quench should be a response to another piece of data.

http://en.wikipedia.org/wiki/ICMP_Source_Quench

0001020304050607080910111213141516171819202122232425262728293031
Type = 4Code = 0Header Checksum
Empty
IP Header + First 8 Bytes of Original Datagram's Data

Perhaps the ASA is not able to find what connection this Source Quench is referring to so it just drops the packet. If we look in the last field we see that the connection to be slowed should be identified by the first 8 bytes of the original datagram's data, and maybe the ASA just doesn't know what the corresponding connection is, hence the drop.

"Can you tell us what the 195.97.148.89 address is?"

My Network Manament System (NMS) as stated in previous thread.

Andrew Ossipov
Cisco Employee
Cisco Employee

Hello,

Since ICMP Type 4, Code 0 messages include an embedded IP packet (the original one that the Quench corresponds to), the ASA will only permit it if it can match it to the original session (conn entry). For this to happen, ICMP Inspection must be enabled.

Andrew

Where do you see this in the documentation?

I need to enable icmp inspect even for traffics destined for the firewall interface?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: