Solved

Cisco ASA message

Posted on 2011-09-30
5
3,214 Views
Last Modified: 2012-05-12
Hello Experts,
I have a Cisco ASA-5520 running version 8.4(1). I've been seeing quite a few of these messages in my syslog lately. What has me concerned is that the message says that the packet originates from the inside interface & that the source is 10.37.131.58.  I have no such address space on my internal network. 192.168.1.7 is the router facing the Cisco ASA. Can someone enlighten me as to what is going on?

%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58 (type 11, code 0) on inside interface.
Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.
0
Comment
Question by:SpokaneISD
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36892797
No, it says the destination is 10.37.131.58.

icmp src inside:192.168.1.7 dst Outside:10.37.131.58
0
 

Author Comment

by:SpokaneISD
ID: 36892853
The message is rather confusing as there are two componants:
1:  No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58
2: Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.

So which is the ACTUAL source IP?
If the source of 192.168.1.7 is the real inside source, I can't figure out why my router would be trying to ping that destination address.


0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36894049
Hmm...  Good question.  Do you have a VPN tunnel to someplace that uses 10.x.x.x addressing?

Looks like the original payload is HTTPS (destination port 443).  
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36897646
IT almost seems as if a public PC connected over 443 to your host at 192.168.1.7.    Your .7 host almost seems to be sending an ICMP echo back in response to this through the ASA, but the ASA drops it because there was no matching inbound icmp.  

0
 

Author Comment

by:SpokaneISD
ID: 36905536
So as it turns out 10.37.131.58 is on another internal network that is connected to my main internal network.  This network has a different group of administrators & they were inadvertently sending traffic towards me that should have been going out their firewall.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sharing same loopback address on different switches 1 23
BGP Code 12 47
ASA configuration 2 29
Connecting a New Subnet to Network 4 28
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question