Guest

Preview Tool

Cisco Bug: CSCvv55387 - DOC: Explanation of syslog messages ASA-3-305006 and FTD-3-305006 should be revised

Last Modified

Sep 23, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3) 9.14(1) 9.8(4)

Description (partial)

Symptom:
The explanation of the syslog messages ASA-3-305006 and FTD-3-305006 should be revised as follows:

1. All reference to the NAT commands in the pre-8.3 version of the ASA software should be removed as they are not relevant for newer versions.

2. Documentation should mention that the above syslogs are generated when ICMP error inspection is enabled in the Modular Policy Framework (MPF) and under the following

Conditions:
- There is a connection established through the device with forward and reverse flows having different protocols. For example, forward flow is UDP or TCP, reverse flow is ICMP. This is the case when either the receiver or any intermediary device in the path returns ICMP error messages, e.g. type 3 code 3.

-  There is a dynamic NAT/PAT statement that is matched for the packets of the reverse flow that fails to translate the outer header IP addresses due to the fact that the device does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0).

Conditions:
The symptoms are observed when all the following known conditions match:

- Forward and reverse flows of a connection have different protocols. For example, forward flow is UDP or TCP, reverse flow is ICMP.

- There is a dynamic NAT/PAT statement that is matched for the packets of the reverse flow that fails to translate the outer header IP addresses due to the fact that the device does not apply PAT to all ICMP message types, except ICMP Echo and Reply (types 8 and 0).  

- ICMP error inspection is enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.