Home / server / Questions / 126311
Accepted
Martijn Heemels
Asked: 2010-03-26 08:49:43 +0800 CST

Cisco ASA logs "regular translation creation failed for icmp ..." for DNS traffic, yet it works

  • 772

Every few minutes our Cisco ASA 5505 firewall is logging errors that I can't figure out with my limited Cisco experience.

Severity Date        Time        Syslog ID Source IP  Destination IP  Description
3     Mar 25 2010 17:21:14 305006   8.8.8.8                    regular translation creation failed for icmp src inside:10.10.0.206 dst outside:8.8.8.8 (type 3, code 3)
3     Mar 25 2010 17:18:37 305006   8.8.4.4                    regular translation creation failed for icmp src inside:10.10.0.206 dst outside:8.8.4.4 (type 3, code 3)

The logged inside-IP is our internal DNS server, and the outside IP's are Google's public DNS servers, which we're using as forwarders in our local BIND config. ICMP Type 3 Code 3 means "Port Unreachable".

The 'Inspect DNS', 'Inspect ICMP' and 'Inspect ICMP Errors' global Service Policies are enabled, with the default inspection maps.

Our "outside" interface has a fixed IP and our "inside" interface is in the 10.10.0.0/16 subnet. The 10.10.0.206 IP is our internal BIND DNS server, and DNS is resolving fine. Using different DNS forwarders, such as OpenDNS, generates the same errors.

I've spent days trying to figure this one out, so any and all advice is appreciated!

firewall domain-name-system cisco bind cisco-asa

3 Answers

  1. You could try the following, from most likely to least likely:

    • You may need to enable "Inspect ICMP" in order to make ICMP replies work correctly - this is the case with the newer ASA software (as of 8.2, I believe)
    • Check that you have the appropriate NAT statement(s) on the inside interface and GLOBAL statement on the outside interface
    • Check that your access-list on the inside interface allows outbound ICMP that matches this traffic

    If none of these things fix the issue, try setting up captures as follows:

    asa(config)# access-list test permit icmp host 10.10.0.200 8.8.0.0 255.255.0.0
asa(config)# access-list test permit icmp host <outside interface IP> 8.8.0.0 255.255.0.0
asa(config)# access-list test permit icmp 8.8.0.0 255.255.0.0 host 10.10.0.200
asa(config)# access-list test permit icmp 8.8.0.0 255.255.0.0 host <outside interface IP>
asa# capture test1 access-list test interface outside trace
asa# capture test2 access-list test interface inside trace

    Then, after a couple of these errors are logged (if I recall correctly, this is the syntax):

    asa# show capture test1 trace
asa# show capture test2 trace
    • 1
  2. Best Answer

    This looks like a mismatch in the firewall's NAT state-table timeouts and the DNS server's own timeouts.

    ICMP Port Unreachable is being returned by your DNS server, probably in response to a late received packet. BIND picks a random(ish) port for each outbound query, and it's possible for a long-delayed response to arrive long after BIND stopped listening for the response on that port.

    That does beg the question of why the firewall happily allows the (late) returned packet in, without subsequently letting the ICMP error back out.

    • 1

  3. Here is one reason why we do see this message in our ASA:

    regular translation creation failed for icmp src inside:10.x.x.3 dst outside:19.13.123.16

    When a PC/Server is running torrent, it sets up a lot of NAT sessions. When the user then close/terminate the torrent client we do get lots of this error for a long time.

    What to do with it:not sure. Why you get this message for 8.8.8.8 Googles public DNS, not shure. It may be a program that has been terminated while having open session to the DNS server.

    • 0