ICMP Errors on ASA 5520

Mark Wagnon · ‎11-09-2010

Hello All,

I started poking around our ASA 5520 (I seem to have inherited the job of administrating it) and I'm seeing the following messages intermixed in the syslog:

Denied ICMP type=3, code=13 from 10.35.200.9 on interface Outside
No matching connection for ICMP error message: icmp src Outside:10.35.200.9 dst identity:10.35.1.2 (type 3, code 13) on Outside interface. Original IP payload: icmp src 10.35.1.2 dst 66.114.54.32 (type 0, code 0).
Deny icmp src Outside:10.35.200.9 dst Inside:10.35.1.2 (type 3, code 13) by access-group "Outside_access_in" [0x0, 0x0]

I don't know which preceeds the other, but they are occurring at a rate of 20-30 or so per minute. A little about the IP addresses above:

10.35.200.9: this is the ip route set on our edge/Internet router. I'm assuming it's on the router for our Opt-e-man hand-off.
10:35.1.2: this is the outside interface on our ASA
66.114.54.32: Not sure what this is, something called Panther Express.

I don't know if this is something normal to see on the ASA or what is even going on here. From what I've read, the ICMP type 3, code 13 message means that the destination is unreachable due to an administrative setting to prohibit communication. Any thoughts on if I should be worried?

Thanks!
Mark

Maykol Rojas · ‎11-09-2010

Hello,

It means that the firewall was sending packets to 66.114.54.32 and this guy 10.35.200.9 told him that it is not reachable. It would be better for you to find out what is 66.114.54.32.

Is that some kind of SNMP server or something like that? Can you check it on your configuration?

Cheers

Mike

Mark Wagnon · ‎11-09-2010

Thanks for the quick response!

I have no idea what's at 66.114.54.32. It is external to our network. There are hundreds of these warnings and the destination address in the original payload vary.

For some reason (by design?) I can't do any traceroutes from workstations on our network to external hosts, but I can traceroute from a router beyond our ASA to the above IP address. And I know that our Internet provider (our county office of education) blocks ping, but these facts my not play into this matter.

Thanks again,

Mark

Maykol Rojas · ‎11-09-2010

That is correct, Have you go through the config to check if that IP address is there? Do you have any aplication on the inside that uses ICMP messages in order to work?

Let me know.

Mike

Panos Kampanakis · ‎11-09-2010

BTW, the 66.x.x.x. ip seems to be ns2.panthercdc.com.

I am not sure if that rings a bell to you.

PK

Mark Wagnon · ‎11-09-2010

I get the following when I do a nslookup for that IP: mia-agg-n22.panthercdn.com. It's not one of our hosts, and it's external to us, so no bells rung here. The IP addresses vary and it was just by chance I selected that IP as I copied a section from the log at random. Thanks!

pkampana wrote:

BTW, the 66.x.x.x. ip seems to be ns2.panthercdc.com.

I am not sure if that rings a bell to you.

PK

Mark Wagnon · ‎11-09-2010

I went through the configs on our ASA and the edge router and that IP address is not listed in either config. As far as applications needing ICMP to function, we don't have any that I know of. I guess I'm kind of wondering why our ASA is trying to talk to these IPs or if it's just trying to forward traffic normally and being told by the host at 10.35.200.9 that those destinations are unreachable for whatever reason. I do not have access to the 10.35.200.9 device though. Funny thing is, I can traceroute from a router that sits between our ASA and the 10.35.200.9 router. Interesting. Thanks for your help!

mayrojas wrote:

That is correct, Have you go through the config to check if that IP address is there? Do you have any aplication on the inside that uses ICMP messages in order to work?

Let me know.

Mike

Maykol Rojas · ‎11-09-2010

Hello Mark,

The only thing that occurs to me is the following.

1-The ASA itself tries to located someone on the outside world (doing queries to DNS or whatever) he does not get a respond and the guys on the internet are telling you that they cannot reach it. These packets are denied have a deny icmp any outside (you can check that doing sh run icmp).

2-Someone on the inside trying to reach any of those host, and the same story happens (of course this would happen only in case you are running PAT).

Hope this helps.

Mike

Mark Wagnon · ‎11-09-2010

Hi Mike,

Options 1 sounds more like what is happening because we're not using PAT. When I issue sh run icmp, I get "icmp unreachable rate-limit 1 burst-size 1". Our issue seems to be normal activity then? I just want to make sure that we're not experiencing any issues or even worse causing them for someone else.

Thanks for all your help,

Mark

mayrojas wrote:

Hello Mark,

The only thing that occurs to me is the following.

1-The ASA itself tries to located someone on the outside world (doing queries to DNS or whatever) he does not get a respond and the guys on the internet are telling you that they cannot reach it. These packets are denied have a deny icmp any outside (you can check that doing sh run icmp).

2-Someone on the inside trying to reach any of those host, and the same story happens (of course this would happen only in case you are running PAT).

Hope this helps.

Mike

Maykol Rojas · ‎11-09-2010

Hello,

I am pretty confident that you are not causing any damage to anyone, but sniffing the packets or knowing the source of this would be nice.This may also be something related to your ISP blocking ICMP messages.

Cheers.

Mike.

Mike