×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA enormous log %ASA-3-313001:

Unanswered Question
Aug 14th, 2014
User Badges:

ASA enormous log about %ASA-3-313001:

show log output:

Aug 15 2014 11:27:40: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.10.8 on interface Trust
Aug 15 2014 11:27:40: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.38 on interface Trust
Aug 15 2014 11:27:40: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.27 on interface Trust
Aug 15 2014 11:27:40: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.39 on interface Trust
Aug 15 2014 11:27:40: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.13 on interface Trust
Aug 15 2014 11:27:40: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.10.60 on interface Trust
Aug 15 2014 11:27:50: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.38 on interface Trust
Aug 15 2014 11:27:50: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.10.8 on interface Trust
Aug 15 2014 11:27:50: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.27 on interface Trust
Aug 15 2014 11:27:55: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.10.8 on interface Trust
Aug 15 2014 11:27:55: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.38 on interface Trust
Aug 15 2014 11:27:55: %ASA-3-313001: Denied ICMP type=5, code=0 from 172.19.9.27 on interface Trust

 

show run icmp output:

icmp permit any Trust

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Thu, 08/14/2014 - 23:37
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

These are redirects which are not allowed on the ASA. Probably you have choosen a network-layout that does not fit the need of the ASA. The old rule "the ASA is not a router" is still valid. Another possibility is just misconfigured routing. Please share a network-diagram and your routing-config.

gongguomeng Fri, 08/15/2014 - 01:37
User Badges:

Hi, Lwen. 

The topology is quite simple, the ASA is just the gateway of 172.19.9/10.0. I managed to configure "icmp permit any redirect Trust". but it did not work. I am quite confuse about this log

Karsten Iwen Fri, 08/15/2014 - 01:43
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

As far as I remember, the ASA doesn't allow redirects regardless what you configure. But at least there should be an internal router for one or more of the additional subnets? Again: A diagram and the config would help.

Actions

This Discussion