Re: Disable ICMP inspection on FTD 7.x for asymmetric routes

enewburn1 · ‎09-30-2022

We're running FTD 7.x on various FPR 2100 and 1100s. We have an asymmetric tunnel that we need to be able to sed pings through. TCP Bypass is working fine, but the ASP is dropping return echo-replies. Our understanding is that by disabling ICMP inspection (maybe via FlexConfig) we will be able to allow this traffic to go out one tunnel and be allowed to return on the other. ANy help on this would be great. All the docs I've found are from 6.2

MHM Cisco World · ‎09-30-2022

ok, the traffic initiate from Inside the return to same interface is allow even if traffic is from High to low Level.
but if return to other interface

you can override this default behave (which is not prefer for security reason) by permit echo-reply in OUT interface.

enewburn1 · ‎09-30-2022

This device only does tunnel terminations - security inspection is further up the line. We currently have a FastPath policy that would allow anything going out or coming in from the target networks - but it isn't enough. The first response we got from Cisco on the subject was that it was dropped as the 'sequence numbers' don't match for the return traffic

MHM Cisco World · ‎09-30-2022

Yes but if the ICMP inspection is disable (not recommend) then the traffic is allow.
BTW why you need ICMP ? is there any IP SLA ?

enewburn1 · ‎09-30-2022

Not for an SLA - but to verify that traffic is making it through the tunnels and back. Basically I need to do the (ASA) equivalent of this in FTD:

policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp (<- Remove from being eligible from inspection)
inspect snmp

MHM Cisco World · ‎10-01-2022

before disable icmp inspection I will check some point and update you soon

AndresCornetOliva · ‎01-09-2024

Hi @enewburn1. For the record, the way to achieve this is by executing the following command from the ftd's cli:

> configure inspection icmp disable

It worked for me, and it can be done despite the ftd being managed by fmc.

enewburn1 · ‎01-09-2024

You are totally correct. I found this after I replied to the other post and just flat forgot to add the comment. I used ot be smarter and more on top of things but... time marches on

MHM Cisco World · ‎01-09-2024

it work !!
the asymmetric routing is issue and disable ICMP inspection will be as workaround not as solution.
can I you your network topology

MHM

AndresCornetOliva · ‎01-04-2024

Hi, I'm in a similar situation. Were you able to disable icmp inspection on FTD?? Did you use flex-config? And most important, did it solved the issue of asymmetric traffic?

enewburn1 · ‎01-04-2024

If memory serves we ended up with just doing a bi-directional prefilter that allowed everything. A better solution (which we plan to migrate to soon) is to enable BGP with the remote peer and then set a metric on one path so that only the other path is used (unless that path fails, of course). No changes that I can see to the Platform or FlexConfig setups. We are on 7.2.4