Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6868
Views
0
Helpful
3
Replies

echo reply Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

junsung kim
Level 1
Level 1

‎08-24-2020 10:40 AM - edited ‎08-24-2020 10:42 AM

hi everyone

 

A routing flow is asymmetric.

A icmp request comes in another route.

Then icmp reply goes to ASA.

ASA forwards the packets from inside to inside by static route

I've used to tcp_state_bypass feature to clear this issue.

But icmp isn't successful.

If i disable 'inspect icmp' of global policy, ping is successful

Instead, ping from inside to outside isn't successful.

I don't know how to handle this.

 

thank you

best regards

 

1 person had this problem
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎08-24-2020 11:18 AM

You need to fix your routing. Why are you using asymmetric routing,? Is
this by design ?
0 Helpful

junsung kim
Level 1
Level 1
In response to Mohammed al Baqari

‎08-24-2020 09:54 PM

Hi

 

this is by design.

i'm going to suggest topology change.

But i want to know how i can fix it without topology change.

 

thank you

best regards

 

0 Helpful

panoschatz
Level 1
Level 1

‎10-09-2020 05:43 AM

Hi all,

 

we have exactly the same issue.

Asymmetric routing by design.

Resolved tcp connectivity with tcp_state_bypass, but we have problem with icmp (ICMP Inspect seq num not matched).

Opened ticket with TAC and the response was to disable icmp inception and allow traffic to Access Control Policy.

Is this solution correct from security perspective, since icmp inspection is global to the FTD?

 

Is there another better solution?

 

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card