cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5330
Views
25
Helpful
20
Replies
Rising star

Traceroute through FTD Sensor?

Does anyone have an FTD based firewall running, where traceroute through it works ?

In ASA, enabling inspection of icmp/icmp error, allowed traceroute to match icmp replies and allow them, without having to open icmp return packets on the outside interface.

This as far as i can tell, is not the case with FTD, I have no policies allowing any traffic from outside->inside, which is what i wan't. The FTD is not blocking the return packets for http/https or any other regular protocol, however it does seem to be blocking the return icmp packets, it seems like the old-style ASA icmp/icmp error inspection, is not working like it used to.

Anyone having problems with traceroute and FTD also ?

/Jan

20 REPLIES 20
Hall of Fame Master

There is a bug with 6.1, 6.2

There is a bug with 6.1, 6.2 (and even the soon-to-be-released 6.2.1) that may apply to your issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb40875

The Bug description doesn't say so, but you should be able to use FlexConfig on 6.2+ to add the inspect statements back into the configuration.

Cisco Employee

I filed this bug after

I filed this bug after verifying in lab. Yes you can use Flex config to add inspects. The bug has been fixed in 6.2.0.2.

Hall of Fame Master

@Dinkar Sharma  ,

dinsharm  ,

Thanks for the update. the BugID needs to be updated to show 6.2.0.2 as a known fixed release.

Unfortunately the fix did not make it in to 6.2.1. Maybe 6.2.2...?

Cisco Employee

Yes, The fix will be

Yes, The fix will be integrated for 6.2.2. We are also trying to get a document out with details. (Specially for FP2100 devices). I will correct the bug fixed versions.

Hall of Fame Master

That's great news Dinkar -

That's great news Dinkar - thanks.

I look forward to 6.2.2.

Hall of Fame Master

Re: That's great news Dinkar -

By the way - fix is confirmed for 6.2.2

Fixed yet?

... wish I had found this thread earlier. Been bashing my head for quite a few days.
Can anyone confirm this was actually fixed? I'm running 6.2.2.1 on my lab device and the echo reply is still being blocked by the FTD sensor for any hops in the path. It works though for the destination address, but I could then just use a simple ping for that...

Beginner

Re: Fixed yet?

I have the same f.... problem investigating the whole day for now... I updated from 6.2.0.4 to 6.2.2.1 because I need the VPN Access, but my feeling is that this version has more problems than the 6.2.0. Also I am actual unable to resolve DNS requests through the ASA. But this might be an another problem...
Highlighted
Beginner

Re: Fixed yet?

It's not working for me either.

Hall of Fame Master

Re: Fixed yet?

Here's my working configuration that allows both icmp reachability and proper traceroute output (i.e. with first route at FTD firewall reported) from my setup. Basically icmp is being inspected by default but I needed to add the echo replies (both Windows and Unix style) inbound (a platform setting)  and also set my policy-map to decrement TTL ( a FlexConfig setup).

 

FlexConfig object.PNGTraceroute platform settings.PNGFlexConfig applied.PNGTraceroute through FTD.PNG

Beginner

Re: Fixed yet?

Thank you! ...but ist there a way to apply this on FTD Device Manager directly?

Hall of Fame Master

Re: Fixed yet?

Sorry but no - FDM does not support FlexConfigs. 

 

Those are one of several configuration options not supported via FDM. Others include:

 

dynamic routing

AAA server

multiple local users

certificates (other than the self-signed one)*

HA

PPPoE

Etherchannel

redundant interface

SNMP configuration

correlation policy

centralized management of multiple devices

 

*limited certificate support is now available - no CSR capability.

Beginner

Re: Fixed yet?

Thank you again :) haha you have removed the site-to-site VPN from the list, thats correct :)

 ...but I will check that with the certificates double, as I saw an option to upload your own.

Hopefully cisco pushes the development a little bit more for the FTD.

 

Cheers

 

Hall of Fame Master

Re: Fixed yet?

Thanks Leon for pointing out the certificate bit. I updated my earlier post to correct it.

 

I had missed that but found it when I dug into my ASA 5506 running FTD with FDM.

 

It looks like you can upload but need to generate the key off-box (i.e. no Certificate Signing Request capability). So the super simple GUI requires you also be handy with openssl cli to generate a private key and CSR and then send it off to your CA. 

 

FDM Certificate upload.PNG