FTD: ICMP Inspection Issue

hashimwajid1 · ‎10-16-2017

Hi

recently i deployed FTD 2140 in HA. i created multiple sub-interfaces on FTD for inter-vlan routing. i am facing one issue regarding Ping between host in different VLANs and i am not able to ping between hosts in different VLANs.

1- ICMP inspection is enable via flexconfig ( i can see in running-config icmp inspection)

2- i also allowed ICMP in policy

3- all traffic is permitted in firewall

4- i can do RDP to host in different VLANs but cannot ping

5- in Packet capture only echo request can be seen but no echo reply

6- in FMC log i cannot see ICMP reply

FMC version is 6.2.2 and FTD version is 6.2.1

ostorvacisco · ‎02-23-2018

I had the same isse.

Disabling icmp inspect fixed me issue.

You can disable it with flexconfig:

policy-map global_policy
class inspection_default
no inspect ftp

#Mat · ‎02-23-2018

Hi ostorvacisco, let me modify your lines.

no inspect icmp

Hi hashimwajid1, also you can check inspect drop with:

show service-policy

show asp drop

Regards.-

.

ostorvacisco · ‎02-23-2018

Thank you Matias.

To troubleshoot deeper you can capture packets, with the following capture you can see what packets are drop in ASP.

capture CAP type asp-drop

show capture CAP

2: 10:55:09.590957 802.1Q vlan#3604 P6 arp reply 192.168.236.85 is-at 0:0:c:9f:fe:14 Drop-reason: (l2_same-lan-port) L2 Src/Dst same LAN port

I realized that some arp-reply were discarded, I dont know exactly why, but disabling that inspect the issue disapeared.

Regards,

Oscar

#Mat · ‎03-19-2018

Hi, today I had this issue I found that FTD 6.2 has ICMP inspection disable by default.

For enabling you can do it by CLI:

configure inspection ICMP enable

Regards.-

.