Hi,

I'm managing two FTDs using Cisco FMC 7.6, and I have no any critical health issues.

Firewall set up in a routed mode, assigned such IPs

Ethernet 1/1 ouside -> ISP IP

Ethernet 3/1: inside - > 192.168.15.1/24

Ethernet 4/1: dmz ->    192.168.50.2/28

VM -> 192.168.15.100

Mikrotik Router connected with Ethernet 4/1, 192.168.50.1/28

Routes
S* 0.0.0.0 0.0.0.0 [1/0] via 37.98.x.x, wan
C 37.98.159.32 255.255.255.240 is directly connected, wan
L 37.98.159.42 255.255.255.255 is directly connected, wan
S 192.168.10.0 255.255.255.0 [1/0] via 192.168.50.1, dmz
C 192.168.15.0 255.255.255.0 is directly connected, inside
L 192.168.15.1 255.255.255.255 is directly connected, inside
C 192.168.50.0 255.255.255.248 is directly connected, dmz
L 192.168.50.2 255.255.255.255 is directly connected, dmz

Auto NAT: inside_zone, outside_zone dynamic

Access lists allow to access internet from 192.168.15.100

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list CSM_FW_ACL_; 16 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 3 advanced permit ipinip any any rule-id 9998 (hitcnt=0) 0xf5b597d6
access-list CSM_FW_ACL_ line 4 advanced permit udp any eq 3544 any range 1025 65535 rule-id 9998 (hitcnt=0) 0x46d7839e
access-list CSM_FW_ACL_ line 5 advanced permit udp any range 1025 65535 any eq 3544 rule-id 9998 (hitcnt=0) 0xaf1d5aa5
access-list CSM_FW_ACL_ line 6 advanced permit 41 any any rule-id 9998 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 7 advanced permit gre any any rule-id 9998 (hitcnt=0) 0x52c7a066
access-list CSM_FW_ACL_ line 8 remark rule-id 268434450: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 9 remark rule-id 268434450: L7 RULE: No Gambling Rule
access-list CSM_FW_ACL_ line 10 advanced permit ip ifc inside any ifc wan any rule-id 268434450 (hitcnt=1232) (Last Hi t=06:30:05 UTC Dec 11 2024) 0xe2dae483
access-list CSM_FW_ACL_ line 11 remark rule-id 268434451: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 12 remark rule-id 268434451: L7 RULE: New-Rule-#4-ALLOW
access-list CSM_FW_ACL_ line 13 advanced permit ip ifc dmz any ifc inside any rule-id 268434451 (hitcnt=0) 0x8377aa96
access-list CSM_FW_ACL_ line 14 remark rule-id 268434454: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 15 remark rule-id 268434454: L7 RULE: New-Rule-#9-ALLOW
access-list CSM_FW_ACL_ line 16 advanced permit ip object 192.168.50.0 object netw-192.168.15.0 rule-id 268434454 (hit cnt=0) 0x0def8c30
access-list CSM_FW_ACL_ line 16 advanced permit ip 192.168.50.0 255.255.255.0 192.168.15.0 255.255.255.0 rule-id 268 434454 (hitcnt=0) 0x0def8c30
access-list CSM_FW_ACL_ line 17 remark rule-id 268434455: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 18 remark rule-id 268434455: L7 RULE: New-Rule-#7-ALLOW
access-list CSM_FW_ACL_ line 19 advanced permit ip ifc inside any object 50.2 rule-id 268434455 (hitcnt=631) (Last Hit =06:16:45 UTC Dec 11 2024) 0x3a307ed1
access-list CSM_FW_ACL_ line 19 advanced permit ip ifc inside any host 192.168.50.2 rule-id 268434455 (hitcnt=631) ( Last Hit=06:16:45 UTC Dec 11 2024) 0x3a307ed1
access-list CSM_FW_ACL_ line 20 remark rule-id 268434452: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 21 remark rule-id 268434452: L7 RULE: New-Rule-#3-ALLOW
access-list CSM_FW_ACL_ line 22 advanced permit ip ifc inside any ifc dmz any rule-id 268434452 (hitcnt=17) (Last Hit= 05:59:07 UTC Dec 11 2024) 0x8be62cea
access-list CSM_FW_ACL_ line 23 remark rule-id 268434453: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 24 remark rule-id 268434453: L7 RULE: New-Rule-#8-ALLOW
access-list CSM_FW_ACL_ line 25 advanced permit ip object netw-192.168.15.0 object 192.168.50.0 rule-id 268434453 (hit cnt=0) 0x5be3d9eb
access-list CSM_FW_ACL_ line 25 advanced permit ip 192.168.15.0 255.255.255.0 192.168.50.0 255.255.255.0 rule-id 268 434453 (hitcnt=0) 0x5be3d9eb
access-list CSM_FW_ACL_ line 26 remark rule-id 268434433: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 27 remark rule-id 268434433: L7 RULE: INTERNET-15#-ALLOW
access-list CSM_FW_ACL_ line 28 advanced permit ip ifc inside object netw-192.168.15.0 ifc wan any4 rule-id 268434433 (hitcnt=119033) (Last Hit=06:36:25 UTC Dec 10 2024) 0xa55bc74c
access-list CSM_FW_ACL_ line 28 advanced permit ip ifc inside 192.168.15.0 255.255.255.0 ifc wan any4 rule-id 268434 433 (hitcnt=119033) (Last Hit=06:36:25 UTC Dec 10 2024) 0xa55bc74c
access-list CSM_FW_ACL_ line 29 remark rule-id 268434434: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ line 30 remark rule-id 268434434: L7 RULE: New-Rule-#2-ALLOW
access-list CSM_FW_ACL_ line 31 advanced permit object-group ping ifc wan any object Public-IP rule-id 268434434 (hitc nt=0) 0x8f8ac98b
access-list CSM_FW_ACL_ line 31 advanced permit icmp ifc wan any4(0xf0050000) host 37.98.159.42(0x25629f2a) rule-id 268434434 (hitcnt=0) 0x2e0dd838
access-list CSM_FW_ACL_ line 32 remark rule-id 268434441: ACCESS POLICY: AccPolicy - Default
access-list CSM_FW_ACL_ line 33 remark rule-id 268434441: L7 RULE: Public access-#ALLOW
access-list CSM_FW_ACL_ line 34 advanced permit tcp ifc wan any ifc inside object VM-15100 object-group HTTP rule-id 2 68434441 (hitcnt=531) (Last Hit=05:17:19 UTC Dec 11 2024) 0x5a62c12a
access-list CSM_FW_ACL_ line 34 advanced permit tcp ifc wan any4(0xf0050000) ifc inside host 192.168.15.100(0xc0a80f 64) eq www rule-id 268434441 (hitcnt=531) (Last Hit=05:17:19 UTC Dec 11 2024) 0x177c560b
access-list CSM_FW_ACL_ line 35 advanced permit tcp ifc wan any ifc inside object VM-15100 object-group RDP rule-id 26 8434441 (hitcnt=46) (Last Hit=06:28:39 UTC Dec 11 2024) 0x51cc0275
access-list CSM_FW_ACL_ line 35 advanced permit tcp ifc wan any4(0xf0050000) ifc inside host 192.168.15.100(0xc0a80f 64) eq 3389 rule-id 268434441 (hitcnt=46) (Last Hit=06:28:39 UTC Dec 11 2024) 0xaf1f67fe
access-list CSM_FW_ACL_ line 36 remark rule-id 268434432: ACCESS POLICY: AccPolicy - Default
access-list CSM_FW_ACL_ line 37 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 38 advanced deny ip any any rule-id 268434432 event-log flow-start (hitcnt=24) (Last Hit= 07:01:06 UTC Dec 10 2024) 0x97aa021a

Currently cannot ping locally connected interface 192.168.50.2 from VM 192.168.15.100

Capturing packets show access is dropped but in access policy I have allowed any traffic between inside_zone and dmz_zone.

4 packets captured

1: 06:16:31.215900 192.168.15.100 > 192.168.50.2 icmp: echo request
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 7680 ns
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 7680 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 18432 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.50.2 using egress ifc dmz(vrfid:0)

Phase: 4
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 26112 ns
Config:
Additional Information:
Source object-group match count: 0
Source NSG match count: 0
Destination NSG match count: 0
Classify table lookup count: 1
Total lookup count: 1
Duplicate key pair count: 0
Classify table match count: 4

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 256 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ remark rule-id 268434455: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434455: L7 RULE: New-Rule-#7-ALLOW
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 256 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 256 ns
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 256 ns
Config:
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 25088 ns
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 31744 ns
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: dmz(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 120832 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame snp_sp_handle_flow_drop:4208 flow (NA)/NA

2: 06:16:36.130776 192.168.15.100 > 192.168.50.2 icmp: echo request
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 3072 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 19968 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.50.2 using egress ifc dmz(vrfid:0)

Phase: 4
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 27136 ns
Config:
Additional Information:
Source object-group match count: 0
Source NSG match count: 0
Destination NSG match count: 0
Classify table lookup count: 1
Total lookup count: 1
Duplicate key pair count: 0
Classify table match count: 4

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ remark rule-id 268434455: ACCESS POLICY: AccPolicy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434455: L7 RULE: New-Rule-#7-ALLOW
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 512 ns
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 24576 ns
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 3584 ns
Config:
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 30208 ns
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: dmz(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 113664 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame snp_sp_handle_flow_drop:4208 flow (NA)/NA

What could be the problem?

Thanks

Suhrob