Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Doubt with Log

Hello All

I have some doubts with log of ASA...

If someone help me

Jul 23 16:54:42 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside: dst inside: (type 3, code 3) on outside interface.  Original IP payload: udp src dst = workstation = server

Why this message?

Maybe any drop in my network because of it???

How can I fix it?

Thanks anyway.


Cisco Employee

Doubt with Log

That means port is unreachable and from your error message since it's UDP/53, the DNS resolution either does not work, or it already passes through the timeout for DNS reply. As a safety measure the firewall will drop the packet if it doesn't receive the DNS reply within certain period of time, this is to prevent against DNS attack.

Community Member

Doubt with Log

Hi Jennifer, thanks for your answer..

hum... I have the port udp/53 allowed...

Maybe a problem with the server??? Or anything I need to do on ASA?

Cisco Employee

Doubt with Log

Yeah, seems like problem with the server if port is already allowed on the ASA.

CreatePlease to create content