cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
804
Views
0
Helpful
6
Replies
Beginner

Traceroute through FTD

I am trying to get traceroute to work from my internal network to the Internet through a FTD2110 managed by FMC running 6.2.3 code

 

I created an access policy allowing ICMP type 3 and 11 from the outside to the inside. I added ICMP permit statements in the Platform Settings for the device (3 and 11 on the outside interface to any-ipv4).

 

I also added the Flex config statement to decrement the TTL

 

But this still isn't working. Is this a bug? Unsupported? 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Traceroute through FTD

Here's what the relevant bits in an FTD running-config should look like:

 

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

 

Can you confirm you have those?

 

If so, have you tried a packet-tracer diagnostic and what does it show?

6 REPLIES 6
Highlighted
Rising star

Re: Traceroute through FTD

Beginner

Re: Traceroute through FTD

Unfortunately, that isn't working either

 

the GUI doesn't interpret the rule correctly--when you try to add OSPF(89) as a port, it simply defaults to "any"

 

But that isn't the underlying problem. The issue I am having is that the FTD won't pass the traceroute traffic period--it is dropping the ICMP on the outside interface. I don't even get to the TTL issue

 

(wishing we were still using the ASA ...)

Hall of Fame Master

Re: Traceroute through FTD

Have you seen the instructions at packetu.com? Paul Stewart does a nice job of walking through the necessary configuration there:

 

https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/

 

I have it working like that on several FTD deployments.

Beginner

Re: Traceroute through FTD

yes I did, and verified the configuration in CLI. Everything looks correct.

 

Hall of Fame Master

Re: Traceroute through FTD

Here's what the relevant bits in an FTD running-config should look like:

 

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

 

Can you confirm you have those?

 

If so, have you tried a packet-tracer diagnostic and what does it show?

Beginner

Re: Traceroute through FTD

i turns out that there was another rule in the access policy that was higher up and causing the problem.