topic Re: FTD: ICMP Inspection Issue in Network Security

FTD: ICMP Inspection Issue

hashimwajid1 — Fri, 21 Feb 2020 14:30:14 GMT

recently i deployed FTD 2140 in HA. i created multiple sub-interfaces on FTD for inter-vlan routing. i am facing one issue regarding Ping between host in different VLANs and i am not able to ping between hosts in different VLANs.

1- ICMP inspection is enable via flexconfig ( i can see in running-config icmp inspection)

2- i also allowed ICMP in policy

3- all traffic is permitted in firewall

4- i can do RDP to host in different VLANs but cannot ping

5- in Packet capture only echo request can be seen but no echo reply

6- in FMC log i cannot see ICMP reply

FMC version is 6.2.2 and FTD version is 6.2.1

Re: FTD: ICMP Inspection Issue

ostorvacisco — Fri, 23 Feb 2018 12:53:55 GMT

I had the same isse.

Disabling icmp inspect fixed me issue.

You can disable it with flexconfig:

policy-map global_policy
class inspection_default
no inspect ftp

Re: FTD: ICMP Inspection Issue

#Mat — Fri, 23 Feb 2018 13:13:27 GMT

Hi ostorvacisco, let me modify your lines.

no inspect icmp

Hi hashimwajid1, also you can check inspect drop with:

show service-policy

show asp drop

Regards.-

Re: FTD: ICMP Inspection Issue

ostorvacisco — Fri, 23 Feb 2018 15:56:39 GMT

Thank you Matias.

To troubleshoot deeper you can capture packets, with the following capture you can see what packets are drop in ASP.

capture CAP type asp-drop

show capture CAP

2: 10:55:09.590957 802.1Q vlan#3604 P6 arp reply 192.168.236.85 is-at 0:0:c:9f:fe:14 Drop-reason: (l2_same-lan-port) L2 Src/Dst same LAN port

I realized that some arp-reply were discarded, I dont know exactly why, but disabling that inspect the issue disapeared.

Regards,

Oscar

Re: FTD: ICMP Inspection Issue

#Mat — Mon, 19 Mar 2018 19:59:36 GMT

Hi, today I had this issue I found that FTD 6.2 has ICMP inspection disable by default.

For enabling you can do it by CLI:

configure inspection ICMP enable

Regards.-