Cisco ASA logs "regular translation creation failed for icmp ..." for DNS traffic, yet it works

domain-name-system firewall cisco cisco-asa bind
26,984

Solution 1

This looks like a mismatch in the firewall's NAT state-table timeouts and the DNS server's own timeouts.

ICMP Port Unreachable is being returned by your DNS server, probably in response to a late received packet. BIND picks a random(ish) port for each outbound query, and it's possible for a long-delayed response to arrive long after BIND stopped listening for the response on that port.

That does beg the question of why the firewall happily allows the (late) returned packet in, without subsequently letting the ICMP error back out.

Solution 2

You could try the following, from most likely to least likely:

  • You may need to enable "Inspect ICMP" in order to make ICMP replies work correctly - this is the case with the newer ASA software (as of 8.2, I believe)
  • Check that you have the appropriate NAT statement(s) on the inside interface and GLOBAL statement on the outside interface
  • Check that your access-list on the inside interface allows outbound ICMP that matches this traffic

If none of these things fix the issue, try setting up captures as follows:

asa(config)# access-list test permit icmp host 10.10.0.200 8.8.0.0 255.255.0.0
asa(config)# access-list test permit icmp host <outside interface IP> 8.8.0.0 255.255.0.0
asa(config)# access-list test permit icmp 8.8.0.0 255.255.0.0 host 10.10.0.200
asa(config)# access-list test permit icmp 8.8.0.0 255.255.0.0 host <outside interface IP>
asa# capture test1 access-list test interface outside trace
asa# capture test2 access-list test interface inside trace

Then, after a couple of these errors are logged (if I recall correctly, this is the syntax):

asa# show capture test1 trace
asa# show capture test2 trace
Share:
26,984
Atulmaharaj
Author by

Atulmaharaj

Updated on September 17, 2022

Comments

  • Atulmaharaj
    Atulmaharaj over 1 year

    Every few minutes our Cisco ASA 5505 firewall is logging errors that I can't figure out with my limited Cisco experience.

    Severity Date        Time        Syslog ID Source IP  Destination IP  Description
3     Mar 25 2010 17:21:14 305006   8.8.8.8                    regular translation creation failed for icmp src inside:10.10.0.206 dst outside:8.8.8.8 (type 3, code 3)
3     Mar 25 2010 17:18:37 305006   8.8.4.4                    regular translation creation failed for icmp src inside:10.10.0.206 dst outside:8.8.4.4 (type 3, code 3)

    The logged inside-IP is our internal DNS server, and the outside IP's are Google's public DNS servers, which we're using as forwarders in our local BIND config. ICMP Type 3 Code 3 means "Port Unreachable".

    The 'Inspect DNS', 'Inspect ICMP' and 'Inspect ICMP Errors' global Service Policies are enabled, with the default inspection maps.

    Our "outside" interface has a fixed IP and our "inside" interface is in the 10.10.0.0/16 subnet. The 10.10.0.206 IP is our internal BIND DNS server, and DNS is resolving fine. Using different DNS forwarders, such as OpenDNS, generates the same errors.

    I've spent days trying to figure this one out, so any and all advice is appreciated!

    • Atulmaharaj
      Atulmaharaj over 13 years
      Weird, I've tried using other DNS servers, but they still generate the same errors occasionally. ICMP "Port Unreachable". It's a simple BIND server that forwards local queries to these servers, and performance does not seem to be affected.
  • Atulmaharaj
    Atulmaharaj over 13 years
    Thanks for the helpful answer. Any idea how I could make the error disappear? Changing the timeout in Bind seems to require a compile so I'd prefer to avoid that. Perhaps some change in the ASA?
  • Alnitak
    Alnitak over 13 years
    What O/S is the BIND server on? Simply disabling the generation of the ICMP Port Unreachable packets in the first place might be sufficient.
  • Atulmaharaj
    Atulmaharaj over 13 years
    It's an Ubuntu 10.04 Linux machine.
  • Alnitak
    Alnitak over 13 years
    You could use iptables, e.g. iptables -A OUTPUT -p icmp --icmp-type 3/3 -j DROP - this is untested, and may need changing for your environment, but it should drop any ICMP Port Unreachable messages.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can I not ping my host behind the firewall? Cisco asa 5505
Cisco ASA: Multiple static IPs on a single interface
debugging ASA firewall rules (with or without ASDM)
i cant ping to my DMZ zone from the local inside PC
Changing ASA access lists on the fly
How can I debug Cisco Firewall ASA "Dispatch Unit" very high CPU utilisation from ASDM?
CISCO ASA 5510: How to view the number of connections per second?
Shrinking TCP Window Size to 0
Force failover a Cisco ASA
Cisco ASA - difference between inside_access_in and inside_access_out?