I am trying to get traceroute to work from my internal network to the Internet through a FTD2110 managed by FMC running 6.2.3 code
I created an access policy allowing ICMP type 3 and 11 from the outside to the inside. I added ICMP permit statements in the Platform Settings for the device (3 and 11 on the outside interface to any-ipv4).
I also added the Flex config statement to decrement the TTL
But this still isn't working. Is this a bug? Unsupported?
Unfortunately, that isn't working either
the GUI doesn't interpret the rule correctly--when you try to add OSPF(89) as a port, it simply defaults to "any"
But that isn't the underlying problem. The issue I am having is that the FTD won't pass the traceroute traffic period--it is dropping the ICMP on the outside interface. I don't even get to the TTL issue
(wishing we were still using the ASA ...)
Have you seen the instructions at packetu.com? Paul Stewart does a nice job of walking through the necessary configuration there:
I have it working like that on several FTD deployments.
Here's what the relevant bits in an FTD running-config should look like:
icmp permit any time-exceeded <your outside interface name> icmp permit any unreachable <your outside interface name> ! policy-map global_policy <snip> inspect icmp inspect icmp error class class-default <snip> set connection decrement-ttl
Can you confirm you have those?
If so, have you tried a packet-tracer diagnostic and what does it show?