?
Solved

Cisco ASA message

Posted on 2011-09-30
5
Medium Priority
?
3,382 Views
Last Modified: 2012-05-12
Hello Experts,
I have a Cisco ASA-5520 running version 8.4(1). I've been seeing quite a few of these messages in my syslog lately. What has me concerned is that the message says that the packet originates from the inside interface & that the source is 10.37.131.58.  I have no such address space on my internal network. 192.168.1.7 is the router facing the Cisco ASA. Can someone enlighten me as to what is going on?

%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58 (type 11, code 0) on inside interface.
Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.
0
Comment
Question by:SpokaneISD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36892797
No, it says the destination is 10.37.131.58.

icmp src inside:192.168.1.7 dst Outside:10.37.131.58
0
 

Author Comment

by:SpokaneISD
ID: 36892853
The message is rather confusing as there are two componants:
1:  No matching connection for ICMP error message: icmp src inside:192.168.1.7 dst Outside:10.37.131.58
2: Original IP payload: tcp src 10.37.131.58/61004 dst 72.14.204.120/443.

So which is the ACTUAL source IP?
If the source of 192.168.1.7 is the real inside source, I can't figure out why my router would be trying to ping that destination address.


0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36894049
Hmm...  Good question.  Do you have a VPN tunnel to someplace that uses 10.x.x.x addressing?

Looks like the original payload is HTTPS (destination port 443).  
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 36897646
IT almost seems as if a public PC connected over 443 to your host at 192.168.1.7.    Your .7 host almost seems to be sending an ICMP echo back in response to this through the ASA, but the ASA drops it because there was no matching inbound icmp.  

0
 

Author Comment

by:SpokaneISD
ID: 36905536
So as it turns out 10.37.131.58 is on another internal network that is connected to my main internal network.  This network has a different group of administrators & they were inadvertently sending traffic towards me that should have been going out their firewall.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question