We have updated a Firepower 1010 from 7.2.4-165 to version 7.2.5-208 and we are no longer able to ping an interface through the VPN. This was previously possible with the FlexConfig command "management-access inside". We have checked the following:

There were no configuration changes after the update. I have checked this in the deployment history.

I have looked at the release notes and found nothing in this regard. I have looked at Open Bugs, New Features and Deprecated FlexConfig Objects.

I removed the FlexConfig command and added it back:
management-access inside

IP address Interface inside: y.y.y.y

capture mgmt type raw-data interface outside include-decrypted match icmp host x.x.x.x host y.y.y.y

1: 16:11:29.541979 x.x.x.x > y.y.y.y icmp: echo request
2: 16:11:34.184499 x.x.x.x > y.y.y.y icmp: echo request

capture drop real-time type asp-drop all match icmp any host y.y.y.y
1: 15:57:17.237780 x.x.x.x > y.y.y.y icmp: echo request drop-reason: (unexpected-packet) Unexpected packet, Drop-location: frame 0x0000563354bf3f45 flow (NA)/NA

2: 15:57:17.586181 x.x.x.x > y.y.y.y icmp: echo request Drop-reason: (unexpected-packet) Unexpected packet, Drop-location: frame 0x0000563354bf3f45 flow (NA)/NA

Now I am a bit stumped. In my opinion there are only three reasons for a drop-reason: (unexpected-packet)

- The NAT is missing the route-lookup argument.
                 o Source: https://www.tunnelsup.com/cisco-asa-drop-reason-unexpected-packet/#:~:text=Unexpected%2DPacket%20occurs%20when%20the,appliance%20to%20process%20the%20packet.
- It is a non-IP packet for which no corresponding service is running to process the packet.
                 o Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/show_asp_drop_command_usage/show-asp-drop-command-usage.html
- The FlexConfig object management-access inside is missing.

Maybe someone has the same problem and already found a solution? Or maybe someone has another idea? Otherwise I would open a case.