https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939833#M925712 <P>Hi,</P> <P>I think you did not read my comment properly, you cannot configure this command using Flexconfig on newer versions of FTD.</P> <P>&nbsp;</P> <P>As per the cisco guide <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71096" target="_self">here</A>, you need to define an Extended ACL and modify the <SPAN class="ph uicontrol">Threat Defense Service Policy to reference the ACL and then tick the box to "Enable Decrement TTL"</SPAN>. See the screenshots I previously provided.</P> <P>&nbsp;</P> <P>HTH</P> Sun, 13 Oct 2019 19:28:45 GMT Rob Ingram 2019-10-13T19:28:45Z https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939572#M925697 <P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ddd.jpg" style="width: 800px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46749iD46362E6D8CE6F88/image-size/large?v=v2&amp;px=999" role="button" title="ddd.jpg" alt="ddd.jpg" /></span></P><P>&nbsp;</P><P><SPAN>please help me . i can not do it&nbsp;</SPAN></P><P>&nbsp;</P> Fri, 21 Feb 2020 17:35:10 GMT https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939572#M925697 saber.sattari 2020-02-21T17:35:10Z https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939608#M925701 <P>Try removing the "icmp..." line and putting that in a separate FlexConfig object.</P> <P>Also make sure you've typed in the line manually and not pasted it from an external text editor.</P> <P>It works fine on my FMC (currently running 6.5.0 but this config has been in place since 6.1.x):</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TTL FlexConfig.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46754iAC8E1AD3AB691457/image-size/large?v=v2&amp;px=999" role="button" title="TTL FlexConfig.PNG" alt="TTL FlexConfig.PNG" /></span></P> Sat, 12 Oct 2019 11:41:40 GMT https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939608#M925701 Marvin Rhoads 2019-10-12T11:41:40Z https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939629#M925707 <P>Hi,</P> <P>The flexconfig method certainly worked before on older versions of FTD, but I've recently deployed FTD 6.4 and I recieved the same error "error - unsupported CLI" as you do.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71096" target="_self">This</A> cisco documentation provides provides the new method to configure. You will need to define and extended ACL, then define a "Threat Defense Service Rule" under the Access Control Policy &gt; Advanced settings.</P> <P>&nbsp;</P> <P><STRONG>ACL</STRONG></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="acl.PNG" style="width: 724px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46758i4B5BBCAB43896584/image-dimensions/724x184?v=v2" width="724" height="184" role="button" title="acl.PNG" alt="acl.PNG" /></span></P> <P>&nbsp;</P> <P><STRONG>Threat Defense Service Policy</STRONG></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="advanced settings.PNG" style="width: 547px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46760i736218CA4BF58F14/image-dimensions/547x561?v=v2" width="547" height="561" role="button" title="advanced settings.PNG" alt="advanced settings.PNG" /></span></STRONG></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="polc summary.PNG" style="width: 771px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46759i3B56900920925471/image-dimensions/771x253?v=v2" width="771" height="253" role="button" title="polc summary.PNG" alt="polc summary.PNG" /></span></P> <P>&nbsp;</P> <P>Once configured the output on the CLI is the same syntax as before, I assume Cisco has just removed the ability to configure via Flexconfig in newer versions.</P> <P>&nbsp;</P> <P>HTH</P> Sat, 12 Oct 2019 12:54:48 GMT https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939629#M925707 Rob Ingram 2019-10-12T12:54:48Z https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939728#M925709 <P>Good catch&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>!</P> <P>It looks like upgraded FMC carries forward the old syntax but new installations require you to use the new method. That's confusing to say the least.</P> Sun, 13 Oct 2019 02:51:19 GMT https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939728#M925709 Marvin Rhoads 2019-10-13T02:51:19Z https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939797#M925711 <P><SPAN class="tlid-translation translation"><SPAN class="">Thank you for your answer</SPAN><BR /><SPAN class="">But the problem still exists</SPAN></SPAN></P><P><SPAN class="tlid-translation translation">marvin , RJI&nbsp;</SPAN></P><P><SPAN class="tlid-translation translation"><SPAN class="">I did all that you said ,&nbsp;But when I write the word (connection ), the problem is correct</SPAN></SPAN></P><P><SPAN class="tlid-translation translation"><SPAN class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46774i3CCB5BA046599B8F/image-size/large?v=v2&amp;px=999" role="button" title="1.jpg" alt="1.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/46775i6F3CCDD0BF4F89A2/image-size/large?v=v2&amp;px=999" role="button" title="2.jpg" alt="2.jpg" /></span></SPAN></SPAN></P><P>&nbsp;</P> Sun, 13 Oct 2019 13:46:14 GMT https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939797#M925711 saber.sattari 2019-10-13T13:46:14Z https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939833#M925712 <P>Hi,</P> <P>I think you did not read my comment properly, you cannot configure this command using Flexconfig on newer versions of FTD.</P> <P>&nbsp;</P> <P>As per the cisco guide <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71096" target="_self">here</A>, you need to define an Extended ACL and modify the <SPAN class="ph uicontrol">Threat Defense Service Policy to reference the ACL and then tick the box to "Enable Decrement TTL"</SPAN>. See the screenshots I previously provided.</P> <P>&nbsp;</P> <P>HTH</P> Sun, 13 Oct 2019 19:28:45 GMT https://community.cisco.com/t5/network-security/problem-with-decrement-ttl-traceroute/m-p/3939833#M925712 Rob Ingram 2019-10-13T19:28:45Z