https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3383922#M957912 ICMP inspection is supported in cluster deployment. Advanced inspections<BR />such as h323 and sccp aren't supported.<BR /><BR />You won't see dynamic ACLs created for inspection.<BR /><BR />However, I have seem some bugs related to ICMP in ASA cluster with PAT<BR /> Wed, 16 May 2018 05:21:02 GMT Mohammed al Baqari 2018-05-16T05:21:02Z https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3383864#M957911 <P>Do ASA clusters support inspect icmp?</P> <P>&nbsp;</P> <P>This document lists several inspections that are and are not supported.&nbsp; However it is silent regarding icmp&nbsp;inspections.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html</A></P> <P>&nbsp;</P> <P>Our ASA cluster allows us to configure the inspect icmp&nbsp;but it doesn't seem to work.&nbsp; &nbsp; We get nothing in logs about creating dynamic ACLs and we can only get our pings to work if we configured a static ACL on the outside--&gt;in to permit echo-reply.&nbsp;</P> <P>&nbsp;</P> <P>Thank you.</P> Fri, 21 Feb 2020 15:46:23 GMT https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3383864#M957911 Tod Larson 2020-02-21T15:46:23Z https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3383922#M957912 ICMP inspection is supported in cluster deployment. Advanced inspections<BR />such as h323 and sccp aren't supported.<BR /><BR />You won't see dynamic ACLs created for inspection.<BR /><BR />However, I have seem some bugs related to ICMP in ASA cluster with PAT<BR /> Wed, 16 May 2018 05:21:02 GMT https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3383922#M957912 Mohammed al Baqari 2018-05-16T05:21:02Z https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3384033#M957913 This is good news!<BR />Now somehow related to this: why doesn't regular ASAs (9.6 code for example) support stateful ICMP?<BR />I am still puzzled about traceroute requirement to allow time-exceeded on the outside interface as long as I allow it ORIGINALLY on the inside interface. Wed, 16 May 2018 09:04:23 GMT https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3384033#M957913 Florin Barhala 2018-05-16T09:04:23Z https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3384306#M958029 <P>We retested inspect ICMP today on our ASA cluster and it worked fine today.&nbsp; Yesterday we must have done a bad test.</P> <P>&nbsp;</P> <P>Is there any show command that will tell us that ICMP echo-replies are being serviced by the inspection engine?</P> <P>&nbsp;</P> <P>Thank you.</P> Wed, 16 May 2018 15:24:42 GMT https://community.cisco.com/t5/network-security/do-asa-clusters-support-inspect-icmp/m-p/3384306#M958029 Tod Larson 2018-05-16T15:24:42Z