cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1711
Views
5
Helpful
21
Replies

How to ping a subinterface on FTD

cxu21
Level 1
Level 1

We have a 1140 FTD managed by FMC, on the FTD, there is a paricular subinterface that required to be pingable.

We had the rule configured as below but none of the interface is pingable.

Is there anything we missed?

We do not need to ping all subinterface, only 1 is required to be able to ping

 

cxu21_0-1738020796369.png

 

1 Accepted Solution

Accepted Solutions

@cxu21 the FTD responds to ICMP traffic sent to the interface that traffic comes in on. In other words, if you are connected behind Eth1 you can ping Eth1, but you would not be able to ping through the FTD to ping another of the FTD's interface. That is by design.

 

View solution in original post

21 Replies 21

From FMC >platform setting >icmp

Allow icmp in interface and specify subnet can ping to this interface

MHM

Thank you for your prompt response.

I assume this is the place you refer to, we already allowed icmp between different zones, but still could not ping.

cxu21_0-1738035727033.png

 

can I see how you config platform setting ?

MHM

@cxu21 the FTD responds to ICMP traffic sent to the interface that traffic comes in on. In other words, if you are connected behind Eth1 you can ping Eth1, but you would not be able to ping through the FTD to ping another of the FTD's interface. That is by design.

 

@Rob Ingram The connection looks like below, what I try to do is try to ping from the internal network to the sub-interface on the FTD. I can ping all the hosts in the same subnet behind that sub-interface, but just can not ping the sub-interface ip address.

cxu21_0-1738098716122.png

 

@cxu21 so you are trying to ping the FTD sub-interface the internal network is connected to? that should work, perhaps routing issues either on the switch or FTD - check the routing tables. Can the FTD ping the internal network? Take a packet capture and confirm the ping is received by the FTD. Can the internal network ping through the FTD to something on the other side of the FTD?

If you aren't ping the sub-interace that leads to the internal network then it won't work.

@Rob Ingram I can ping between any hosts behind different subinterface on the FTD from internal network and can ping the internal network from FTD, just can not ping from internal network to the subinterface ip address.

I don't see how you config the icmp in platform. 

Also are you using trunk between SW and ftd? 

MHM

 

Yes, the connection between switch and FTD is configured as trunk using port channel for HA purpose. Here is the demo of the configuration.

interface Port-channel11
description To Primary
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk

interface GigabitEthernet1/0/24
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk
auto qos trust dscp
channel-group 11 mode active

Here is the icmp configuration screenshot in platform settings

icmp.png

Thanks for sharing more detail

In zone/interface do you see subinterface name or interface name connect to internal? If yes select it.

MHM

I do not see subinterface name in the zone/interface field. I just wonder if I need to configure ARP for that particular subinterface?

cxu21_0-1738103406244.png

 

No need, 

Can İ see from device mgmt >interface

MHM

Here is the subinterface configuration. under IPv4, it selects using static with ip address and under Advanced, enable the anti spoofing, the other are default.

cxu21_0-1738104443997.png

cxu21_1-1738104570577.png

 

 

Vlan Id 1 <<- not allow in trunk?

MHM

Review Cisco Networking for a $25 gift card