Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19780
Views
5
Helpful
11
Replies

No matching connection for ICMP error

Go to solution
parisvcisco
Level 1
Level 1

‎09-01-2014 06:12 AM - edited ‎03-12-2019 06:07 PM

I'm seeing this on our cisco pix 515e firewall log quite often:

Sep  1 13:42:52 192.168.120.248 %PIX-4-313005: No matching connection for ICMP error message: icmp src guest:192.168.0.10 dst outside:8.8.8.8 (type 3, code 3) on guest interface.  Original IP payload: udp src 8.8.8.8/53 dst 192.168.0.10/52456.

 

on the firewall we have this set:  ip address 192.168.0.248 255.255.255.0

access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any 
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any echo 
access-list guest-out extended permit icmp 192.168.0.0 255.255.255.0 any echo-reply 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  inspect icmp 

mtu guest 1500

 

 

on a layer 3 switch we have this set:

ip dhcp pool guest_wifi_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.248 
 dns-server 8.8.8.8 8.8.4.4 

 

interface Vlan2
 ip address 192.168.0.1 255.255.255.0

 

then we have unifi access points in this switch. so far the source ips in the error message seem to be iphones!

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to parisvcisco

‎09-03-2014 05:03 AM

Hi,

Any reason why your IP phone initiates the traffic for 8.8.8.8 ? can you check on the settings of ip phone and make sure it is as per your requirement....

Type 3 – Destination Unreachable

Code 3 - Destination port unreachable

for dns to work..... you need to allow domain in access-list.

access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.8.8 eq domain

access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.4.4 eq domain

 

also you need to allow the echo-reply for this on inbound acl (outside) interface.

 

any to 192.168.0.0 - echo-reply

 

 

 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
rvarelac
Level 7
Level 7

‎09-01-2014 01:46 PM

Hi 

 

the IP 192.168.0.10 is trying to use the DNS server (53) of the IP 8.8.8.8  and the ASA captures the destination is unreachable  (Type 3 ) and the port requested is unreachable (code 3).

 

It might be an application on the device or that the ASA could be dropping the request for security reasons.

 

I would suggest you to place a capture  on the inside and verify this  a DNS request and see which application might be causing this behavior.

Hope this helps !

 

- Randy -

0 Helpful

Go to solution
parisvcisco
Level 1
Level 1
In response to rvarelac

‎09-01-2014 08:39 PM

Yes on the switch I have set the DNS server to be 8.8.8.8 and 8.8.4.4 for that vlan. Do I need to do something on the firewall to allow this?

0 Helpful

Go to solution
rvarelac
Level 7
Level 7
In response to parisvcisco

‎09-02-2014 09:10 AM

Hi , 

 

And the DNS service works fine ?   

 

It looks like the ASA is not able to reach the DNS sometimes , can you check if the ASA is dropping the service. 

 

I suggest you to place an ASP capture,  

Example :

Capture drop interface inside type asp-drop all 

 

Wait a couple of seconds or start manually the DNS service (request) 

 

And check the capture : Show capture drop | incl 53 

 

Also check on the service policy if the DNS has the inspection enable.

 

Hope this help

 

Please rate helpful post ! 

- Randy - 

 

 

Go to solution
parisvcisco
Level 1
Level 1
In response to rvarelac

‎09-03-2014 12:56 AM

I don't have type available......

 

# capture drop interface inside ?      

  access-list      Capture packets that match access-list
  buffer           Configure size of capture buffer, default is 512 KB
  circular-buffer  Overwrite buffer from beginning when full, default is
                   non-circular
  ethernet-type    Capture Ethernet packets of a particular type, default is IP
  headers-only     Capture only L2, L3 and L4 headers of packet without data in
                   them
  match            Capture packets matching five-tuple
  packet-length    Configure maximum length to save from each packet, default
                   is 68 bytes
  real-time        Display captured packets in real-time. Warning: using this
                   option with a slow console connection may result in an
                   excessive amount of non-displayed packets due to performance
                   limitations.
  trace            Trace the captured packets

 

fyi this is a cisco pix 515e so pretty old! 

0 Helpful

Go to solution
parisvcisco
Level 1
Level 1
In response to parisvcisco

‎09-03-2014 01:30 AM

I was able to run this:

capture asp type asp-drop all

# show capture asp | inc 8.8.8.8  
327: 09:00:10.672618 802.1Q vlan#2 P0 192.168.0.25 > 8.8.8.8: icmp: 192.168.0.25 udp port 52444 unreachable

 

We have icmp permit any outside but would icmp permit any guest work/help?

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to parisvcisco

‎09-03-2014 05:03 AM

Hi,

Any reason why your IP phone initiates the traffic for 8.8.8.8 ? can you check on the settings of ip phone and make sure it is as per your requirement....

Type 3 – Destination Unreachable

Code 3 - Destination port unreachable

for dns to work..... you need to allow domain in access-list.

access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.8.8 eq domain

access-list guest-out extended permit udp 192.168.0.0 255.255.255.0 host 8.8.4.4 eq domain

 

also you need to allow the echo-reply for this on inbound acl (outside) interface.

 

any to 192.168.0.0 - echo-reply

 

 

 

0 Helpful

Go to solution
parisvcisco
Level 1
Level 1
In response to nkarthikeyan

‎09-03-2014 05:07 AM

not ip phones just iphones!

so vlan 2 is for the guest wifi and I want them to use Google's dns servers for DNS.

so on the switch that's doing the routing I have set:

ip dhcp pool guest_wifi_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.248 
 dns-server 8.8.8.8 8.8.4.4 

Do I still need to do the steps have you have posted?

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to parisvcisco

‎09-03-2014 05:25 AM

Hi,

 

Yes.... on your guest connected interface you need to allow dns (domain) udp - 53 from guest lan to 8.8.8.8 / 8.8.4.4.

 

And if you want to allow icmp access to those dns servers for checking or testing then you need to allow echo on guest connected interface acl and echo-reply on outside interface acl...

 

Regards

Karthik

0 Helpful

Go to solution
parisvcisco
Level 1
Level 1
In response to nkarthikeyan

‎09-03-2014 05:49 AM

 

at the moment i have 

access-group guest-out in interface guest

do i need to do 

access-group guest-in in interface guest

then 

access-group guest-in any to 192.168.0.0 - echo-reply

 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to parisvcisco

‎09-03-2014 06:09 AM

nope....

 

Please send me your configuration file.... hide out the sensitive information and send me to this post or to the private message... i will suggest you on that..

 

Regards

Karthik

0 Helpful

Go to solution
Kevin_W
Level 1
Level 1

‎03-09-2020 02:51 AM

We had the same problem and log messages. 
The solution in our scenario is to disable IPv6 on the ethernet adapter of the affected notebook. After that, DNS was successful. 


Just in case, some other have the same problem, this might be an alternative solution.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card