09-30-2022 11:16 AM
We're running FTD 7.x on various FPR 2100 and 1100s. We have an asymmetric tunnel that we need to be able to sed pings through. TCP Bypass is working fine, but the ASP is dropping return echo-replies. Our understanding is that by disabling ICMP inspection (maybe via FlexConfig) we will be able to allow this traffic to go out one tunnel and be allowed to return on the other. ANy help on this would be great. All the docs I've found are from 6.2
09-30-2022 11:21 AM - edited 09-30-2022 11:28 AM
ok, the traffic initiate from Inside the return to same interface is allow even if traffic is from High to low Level.
but if return to other interface
you can override this default behave (which is not prefer for security reason) by permit echo-reply in OUT interface.
09-30-2022 11:33 AM
This device only does tunnel terminations - security inspection is further up the line. We currently have a FastPath policy that would allow anything going out or coming in from the target networks - but it isn't enough. The first response we got from Cisco on the subject was that it was dropped as the 'sequence numbers' don't match for the return traffic
09-30-2022 11:47 AM
Yes but if the ICMP inspection is disable (not recommend) then the traffic is allow.
BTW why you need ICMP ? is there any IP SLA ?
09-30-2022 12:12 PM
Not for an SLA - but to verify that traffic is making it through the tunnels and back. Basically I need to do the (ASA) equivalent of this in FTD:
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp (<- Remove from being eligible from inspection)
inspect snmp
10-01-2022 04:36 PM
before disable icmp inspection I will check some point and update you soon
01-09-2024 06:57 AM
Hi @enewburn1. For the record, the way to achieve this is by executing the following command from the ftd's cli:
> configure inspection icmp disable
It worked for me, and it can be done despite the ftd being managed by fmc.
01-09-2024 06:59 AM
01-09-2024 07:01 AM
it work !!
the asymmetric routing is issue and disable ICMP inspection will be as workaround not as solution.
can I you your network topology
MHM
01-04-2024 11:03 AM
Hi, I'm in a similar situation. Were you able to disable icmp inspection on FTD?? Did you use flex-config? And most important, did it solved the issue of asymmetric traffic?
01-04-2024 11:44 AM
If memory serves we ended up with just doing a bi-directional prefilter that allowed everything. A better solution (which we plan to migrate to soon) is to enable BGP with the remote peer and then set a metric on one path so that only the other path is used (unless that path fails, of course). No changes that I can see to the Platform or FlexConfig setups. We are on 7.2.4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide