https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779932#M1021699 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you please try configuring the inspection for the icmp_error and please let me know if this fix your problem.Also don't forget have icmp allow ACL's from source to destination in dual direction.</P><P></P><P>Regards,</P><P>Magesh</P></BODY></HTML> Sun, 15 Jul 2007 04:38:50 GMT Kmageshkumar 2007-07-15T04:38:50Z https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779931#M1021698 <P>Hi,</P><P></P><P>we have a set of FWSM running 3.2(1)</P><P>Rules are set to allow ICMP both inbound and outbound.</P><P></P><P>However traceroute gives some unexpected results, half of the hosts do not respond. It also produces the following message in the log.</P><P></P><P></P><P>%FWSM-4-313004:Denied ICMP type=icmp_type, from source_address oninterface interface_name to dest_address:no matching session </P><P></P><P>ICMP packets were dropped by the security appliance because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the security appliance or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the security appliance.</P><P></P><P>Any idea what can I do to fix this. I am not worried about the syslog message, I can always filter these out. But I need reliable traceroute.</P><P></P><P>Thank you,</P><P>Remy</P><P></P> Mon, 11 Mar 2019 10:35:07 GMT https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779931#M1021698 fauresr 2019-03-11T10:35:07Z https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779932#M1021699 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you please try configuring the inspection for the icmp_error and please let me know if this fix your problem.Also don't forget have icmp allow ACL's from source to destination in dual direction.</P><P></P><P>Regards,</P><P>Magesh</P></BODY></HTML> Sun, 15 Jul 2007 04:38:50 GMT https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779932#M1021699 Kmageshkumar 2007-07-15T04:38:50Z https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779933#M1021700 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I set icmp and icmp error inspection, ALCs allow icmp from source to destination.</P><P></P><P>Still, traceroute traffic get somewhat disrupted. It is also inconsistent. Several attempts few minutes appart do not lead to the same result.</P><P></P><P>I talked to TAC about this, and was informed of a bug ID. Expected to be addressed in next release.</P><P></P><P>Remy</P><P></P></BODY></HTML> Sun, 15 Jul 2007 23:55:02 GMT https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779933#M1021700 fauresr 2007-07-15T23:55:02Z https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779934#M1021701 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for the update.please let us know what is the current version used and the bug ID and also what new version TAC suggested.This would be helpful.</P></BODY></HTML> Mon, 16 Jul 2007 02:20:46 GMT https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779934#M1021701 Kmageshkumar 2007-07-16T02:20:46Z https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779935#M1021702 <HTML><HEAD></HEAD><BODY><P>Our FWSM is currenlty running version 3.2(1)</P><P></P><P>The bug ID TAC gave me is: CSCsj53485</P><P>From what I was told, this affects version 3.1(5) and 3.1(6) and will be addressed in 3.1(7)</P><P>It seems it also affects 3.2(1) and will be addressed in 3.2(2)</P><P></P><P>I do not have a timeframe for resolution.</P><P>Regards,</P><P>Remy</P><P></P></BODY></HTML> Mon, 16 Jul 2007 14:45:02 GMT https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779935#M1021702 fauresr 2007-07-16T14:45:02Z https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779936#M1021703 <HTML><HEAD></HEAD><BODY><P>Thanks for your detailed update.</P></BODY></HTML> Thu, 19 Jul 2007 02:44:37 GMT https://community.cisco.com/t5/network-security/icmp-thru-fwsm/m-p/779936#M1021703 Kmageshkumar 2007-07-19T02:44:37Z