Hi Jennifer,

The traffic flow is from lower Security Zone to Higher Security Zone

Traffic has been permitted in the ACL applied to the lower Security interface

ICMP inspection is not enabled

NAT has been disabled.

We are able to ping other machines in the same destination subnet from the same source subnet. Only one machine is not responding.

Thanks!

If you are able to ping other destinations in the same subnet, it is likely to be the end host issue, not issue on the FWSM.

Pls kindly check if the end host which is not working has been configured with the same default gateway as the other hosts in the same subnet. Also if there is any personal firewall, etc enabled on the host, please check if it's allowing inbound access from other subnets. Most times if it is only issue with 1 host in the same subnet, it would be host issue, not configuration issue on the fwsm if you have generic subnet based translation and access-list to allow ping access.

Hi Jennifer,

We thought the same way and informed the team managing the server to check on it. But they insist that nothing has been blocked. Also routes are proper on the end host. We are able to reach this machine from other subnets across the same Firewall. Hence checking on whether there is anything that needs to be checked on the FWSM.

Thanks!

To prove and investigate where the issue might be, you can run packet capture on the FWSM on both the interfaces. Assuming that you are not translating any of the adddresses, then you can configure the following:

access-list cap-acl permit ip host 10.10.10.13 host 172.16.10.x
access-list cap-acl permit ip host 172.16.10.x host 10.10.10.13

Then apply the acl to both the interfaces:
cap cap-out access-list cap-acl interface
cap cap-in access-list cap-acl interface

Once you have configured the above, then pass the traffic through the fwsm, and check the packet capture and see where it's failing:

show cap cap-out

show cap cap-in

Hi Jennifer,

I enabled packet capture on both inbound and outbound interfaces. I saw icmp packet entering the inbound interface but cant see the icmp packet exiting the outbound interface on the FWSM. Please advice. Thanks!

Hi Jennifer,

Here are some logs for refernece. From 172.16.10.10 we are able to ping 10.10.10.13 and same is not possible with 10.10.10.12. ICMP Traffic coming from 172.16.10.10 on VLAN 120 is able to pass it to VLAN 10. Where as 10.10.10.13 it is able to pass the traffic.

802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.12: icmp: echo request
802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.12: icmp: echo request
802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.12: icmp: echo request
802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.12: icmp: echo request
802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.13: icmp: echo request
802.1Q vlan#10 P0 172.16.10.10 > 10.10.10.13: icmp: echo request
802.1Q vlan#10 P0 10.10.10.13 > 172.16.10.10: icmp: echo reply
802.1Q vlan#120 P0 10.10.10.13 > 172.16.10.10: icmp: echo reply
802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.13: icmp: echo request
802.1Q vlan#10 P0 172.16.10.10 > 10.10.10.13: icmp: echo request
802.1Q vlan#10 P0 10.10.10.13 > 172.16.10.10: icmp: echo reply
802.1Q vlan#120 P0 10.10.10.13 > 172.16.10.10: icmp: echo reply
802.1Q vlan#120 P0 172.16.10.10 > 10.10.10.13: icmp: echo request
802.1Q vlan#10 P0 172.16.10.10 > 10.10.10.13: icmp: echo request
802.1Q vlan#10 P0 10.10.10.13 > 172.16.10.10: icmp: echo reply

Thanks!

This sounds like something that needs to be investigated further. Pls kindly open a TAC case so an engineer can troubleshoot the issue live with you.

Hi Jennifer,

Thanks for your inputs