Re: Do ASA clusters support inspect icmp?

Tod Larson · ‎05-15-2018

Do ASA clusters support inspect icmp?

This document lists several inspections that are and are not supported. However it is silent regarding icmp inspections.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html

Our ASA cluster allows us to configure the inspect icmp but it doesn't seem to work. We get nothing in logs about creating dynamic ACLs and we can only get our pings to work if we configured a static ACL on the outside-->in to permit echo-reply.

Thank you.

Mohammed al Baqari · ‎05-15-2018

ICMP inspection is supported in cluster deployment. Advanced inspections
such as h323 and sccp aren't supported.

You won't see dynamic ACLs created for inspection.

However, I have seem some bugs related to ICMP in ASA cluster with PAT

Florin Barhala · ‎05-16-2018

This is good news!
Now somehow related to this: why doesn't regular ASAs (9.6 code for example) support stateful ICMP?
I am still puzzled about traceroute requirement to allow time-exceeded on the outside interface as long as I allow it ORIGINALLY on the inside interface.

Tod Larson · ‎05-16-2018

We retested inspect ICMP today on our ASA cluster and it worked fine today. Yesterday we must have done a bad test.

Is there any show command that will tell us that ICMP echo-replies are being serviced by the inspection engine?

Thank you.