https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5049981#M1110331 <P>Hi All,</P><P>I'm trying to allow traceroute through the firewall as per the below doc, however, when I update the Platform Settings to permit traceroute on Inside, Outside and another zone, SLA monitor which is tracking the primary ISP goes down and failover to the secondary ISP.&nbsp; I've set the rate-limit and burst-limit to 3.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215237-allow-traceroute-through-firepower-threa.html" target="_blank">Allow Traceroute through Firepower Threat Defense (FTD) - Cisco</A></P><P>The SLA, Track and routing configs below, basically it's monitoring and tracking the primary ISP1's nexthop addresses (1.1.1.1 and 2.2.2.2 in the below example), and if both fails the floating default route would kick in.</P><P>#####SLA monitor configuration####</P><P>&gt; show sla monitor configuration<BR />SA Agent, Infrastructure Engine-II<BR />Entry number: 1<BR />Owner:<BR />Tag:<BR />Type of operation to perform: echo<BR />Target address: 1.1.1.1<BR />Interface: ISP1<BR />Number of packets: 1<BR />Request size (ARR data portion): 28<BR />Operation timeout (milliseconds): 5000<BR />Type Of Service parameters: 0x0<BR />Verify data: No<BR />Operation frequency (seconds): 15<BR />Next Scheduled Start Time: Start Time already passed<BR />Group Scheduled : FALSE<BR />Life (seconds): Forever<BR />Entry Ageout (seconds): never<BR />Recurring (Starting Everyday): FALSE<BR />Status of entry (SNMP RowStatus): Active<BR />Enhanced History:</P><P>Entry number: 2<BR />Owner:<BR />Tag:<BR />Type of operation to perform: echo<BR />Target address: 2.2.2.2<BR />Interface: ISP1<BR />Number of packets: 1<BR />Request size (ARR data portion): 28<BR />Operation timeout (milliseconds): 5000<BR />Type Of Service parameters: 0x0<BR />Verify data: No<BR />Operation frequency (seconds): 15<BR />Next Scheduled Start Time: Start Time already passed<BR />Group Scheduled : FALSE<BR />Life (seconds): Forever<BR />Entry Ageout (seconds): never<BR />Recurring (Starting Everyday): FALSE<BR />Status of entry (SNMP RowStatus): Active<BR />Enhanced History:</P><P>&gt;</P><P>####track configuration####</P><P>&gt; show track<BR />Track 1<BR />Response Time Reporter 2 reachability<BR />Reachability is Up<BR />112 changes, last change 01:34:05<BR />Latest operation return code: OK<BR />Latest RTT (millisecs) 1<BR />Tracked by:<BR />STATIC-IP-ROUTING 0<BR />Track 2<BR />Response Time Reporter 1 reachability<BR />Reachability is Up<BR />98 changes, last change 2d04h<BR />Latest operation return code: OK<BR />Latest RTT (millisecs) 1<BR />Tracked by:<BR />STATIC-IP-ROUTING 0<BR />&gt;</P><P><BR />####routing####<BR />route ISP1 0.0.0.0 0.0.0.0 192.168.100.1 1 track 1<BR />route ISP1 0.0.0.0 128.0.0.0 192.168.100.1 1 track 2<BR />route ISP1 128.0.0.0 128.0.0.0 192.168.100.1 1 track 2<BR />route ISP2 0.0.0.0 0.0.0.0 192.168.200.1 5</P><P>####</P><P>&nbsp;</P><P>The ACP is allowing icmp3 and icmp11 from OUTSIDE zone to the host that I want to allow traceroute. (the destination host does not resides in INSIDE, but a different zone)</P><P>I notice that the above Cisco doc says "<STRONG>Caution</STRONG><SPAN>: Ensure&nbsp;</SPAN><STRONG>ICMP Destination Unreachable (Type 3) and ICMP Time Exceeded (Type 11)</STRONG><SPAN>&nbsp;are allowed from Outside to Inside in the ACL policy or Fastpath'ed in Pre-filter policy.", not sure whether this is causing the issue.</SPAN></P><P><SPAN>Any suggestions are very much appreciated.</SPAN></P><P>&nbsp;</P><P><SPAN>Many thanks,</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 25 Mar 2024 12:05:29 GMT atsukane 2024-03-25T12:05:29Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5049981#M1110331 <P>Hi All,</P><P>I'm trying to allow traceroute through the firewall as per the below doc, however, when I update the Platform Settings to permit traceroute on Inside, Outside and another zone, SLA monitor which is tracking the primary ISP goes down and failover to the secondary ISP.&nbsp; I've set the rate-limit and burst-limit to 3.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215237-allow-traceroute-through-firepower-threa.html" target="_blank">Allow Traceroute through Firepower Threat Defense (FTD) - Cisco</A></P><P>The SLA, Track and routing configs below, basically it's monitoring and tracking the primary ISP1's nexthop addresses (1.1.1.1 and 2.2.2.2 in the below example), and if both fails the floating default route would kick in.</P><P>#####SLA monitor configuration####</P><P>&gt; show sla monitor configuration<BR />SA Agent, Infrastructure Engine-II<BR />Entry number: 1<BR />Owner:<BR />Tag:<BR />Type of operation to perform: echo<BR />Target address: 1.1.1.1<BR />Interface: ISP1<BR />Number of packets: 1<BR />Request size (ARR data portion): 28<BR />Operation timeout (milliseconds): 5000<BR />Type Of Service parameters: 0x0<BR />Verify data: No<BR />Operation frequency (seconds): 15<BR />Next Scheduled Start Time: Start Time already passed<BR />Group Scheduled : FALSE<BR />Life (seconds): Forever<BR />Entry Ageout (seconds): never<BR />Recurring (Starting Everyday): FALSE<BR />Status of entry (SNMP RowStatus): Active<BR />Enhanced History:</P><P>Entry number: 2<BR />Owner:<BR />Tag:<BR />Type of operation to perform: echo<BR />Target address: 2.2.2.2<BR />Interface: ISP1<BR />Number of packets: 1<BR />Request size (ARR data portion): 28<BR />Operation timeout (milliseconds): 5000<BR />Type Of Service parameters: 0x0<BR />Verify data: No<BR />Operation frequency (seconds): 15<BR />Next Scheduled Start Time: Start Time already passed<BR />Group Scheduled : FALSE<BR />Life (seconds): Forever<BR />Entry Ageout (seconds): never<BR />Recurring (Starting Everyday): FALSE<BR />Status of entry (SNMP RowStatus): Active<BR />Enhanced History:</P><P>&gt;</P><P>####track configuration####</P><P>&gt; show track<BR />Track 1<BR />Response Time Reporter 2 reachability<BR />Reachability is Up<BR />112 changes, last change 01:34:05<BR />Latest operation return code: OK<BR />Latest RTT (millisecs) 1<BR />Tracked by:<BR />STATIC-IP-ROUTING 0<BR />Track 2<BR />Response Time Reporter 1 reachability<BR />Reachability is Up<BR />98 changes, last change 2d04h<BR />Latest operation return code: OK<BR />Latest RTT (millisecs) 1<BR />Tracked by:<BR />STATIC-IP-ROUTING 0<BR />&gt;</P><P><BR />####routing####<BR />route ISP1 0.0.0.0 0.0.0.0 192.168.100.1 1 track 1<BR />route ISP1 0.0.0.0 128.0.0.0 192.168.100.1 1 track 2<BR />route ISP1 128.0.0.0 128.0.0.0 192.168.100.1 1 track 2<BR />route ISP2 0.0.0.0 0.0.0.0 192.168.200.1 5</P><P>####</P><P>&nbsp;</P><P>The ACP is allowing icmp3 and icmp11 from OUTSIDE zone to the host that I want to allow traceroute. (the destination host does not resides in INSIDE, but a different zone)</P><P>I notice that the above Cisco doc says "<STRONG>Caution</STRONG><SPAN>: Ensure&nbsp;</SPAN><STRONG>ICMP Destination Unreachable (Type 3) and ICMP Time Exceeded (Type 11)</STRONG><SPAN>&nbsp;are allowed from Outside to Inside in the ACL policy or Fastpath'ed in Pre-filter policy.", not sure whether this is causing the issue.</SPAN></P><P><SPAN>Any suggestions are very much appreciated.</SPAN></P><P>&nbsp;</P><P><SPAN>Many thanks,</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 25 Mar 2024 12:05:29 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5049981#M1110331 atsukane 2024-03-25T12:05:29Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050099#M1110333 <P>Ftd mgmt by fmc? If yes in fmc increase little the rate limit of icmp.</P> <P>I think you hit the limit and hence the ftd drop some icmp which make route down</P> <P>MHM</P> Mon, 25 Mar 2024 15:37:20 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050099#M1110333 MHM Cisco World 2024-03-25T15:37:20Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050155#M1110338 <P>hi, yes, the FTDs are FMC managed.</P> Mon, 25 Mar 2024 16:50:25 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050155#M1110338 atsukane 2024-03-25T16:50:25Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050157#M1110339 <P><SPAN>Devices&gt;Platform Settings&gt;icmp</SPAN></P> <P><SPAN>Rate limit</SPAN></P> <P><SPAN>Increase it little&nbsp;</SPAN></P> <P><SPAN>MHM</SPAN></P> Mon, 25 Mar 2024 16:55:36 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050157#M1110339 MHM Cisco World 2024-03-25T16:55:36Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050158#M1110340 <P>Thanks, I'll try that.</P><P>I've since found this link as well&nbsp;<A href="https://integratingit.wordpress.com/2019/10/12/ftd-allow-traceroute/" target="_blank">FTD allow ICMP/traceroute – integrating IT (wordpress.com)</A>&nbsp;which seems to involve more than the Cisco doc, but from the URL it looks like this was written back in 2019 so not all steps stated here may be required.</P> Mon, 25 Mar 2024 16:59:33 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050158#M1110340 atsukane 2024-03-25T16:59:33Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050163#M1110341 <P>If rate not help you then check</P> <P>Acp is allow icmp destiantion unreachable and icmp time exceeded for traceroute&nbsp;</P> <P>Add to it icmp reply' I know the traffic toward FTD interface not effect by ACP but let only check.</P> <P>MHM</P> Mon, 25 Mar 2024 17:09:28 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5050163#M1110341 MHM Cisco World 2024-03-25T17:09:28Z https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5053506#M1110537 <P>Device&gt;platform setting&nbsp;</P> <P>Icmp</P> <P>Add to this list icmp reply&nbsp;</P> <P>Waiting your reply&nbsp;</P> <P>Thanks&nbsp;</P> <P>MHM</P> Sat, 30 Mar 2024 17:46:28 GMT https://community.cisco.com/t5/network-security/traceroute-through-ftd-vs-sla-monitor/m-p/5053506#M1110537 MHM Cisco World 2024-03-30T17:46:28Z