Solved: Re: How to ping a subinterface on FTD

cxu21 · ‎01-27-2025

We have a 1140 FTD managed by FMC, on the FTD, there is a paricular subinterface that required to be pingable.

We had the rule configured as below but none of the interface is pingable.

Is there anything we missed?

We do not need to ping all subinterface, only 1 is required to be able to ping

Rob Ingram · ‎01-28-2025

@cxu21 the FTD responds to ICMP traffic sent to the interface that traffic comes in on. In other words, if you are connected behind Eth1 you can ping Eth1, but you would not be able to ping through the FTD to ping another of the FTD's interface. That is by design.

View solution in original post

MHM Cisco World · ‎01-27-2025

From FMC >platform setting >icmp

Allow icmp in interface and specify subnet can ping to this interface

MHM

cxu21 · ‎01-27-2025

Thank you for your prompt response.

I assume this is the place you refer to, we already allowed icmp between different zones, but still could not ping.

MHM Cisco World · ‎01-28-2025

can I see how you config platform setting ?

MHM

Rob Ingram · ‎01-28-2025

@cxu21 the FTD responds to ICMP traffic sent to the interface that traffic comes in on. In other words, if you are connected behind Eth1 you can ping Eth1, but you would not be able to ping through the FTD to ping another of the FTD's interface. That is by design.

cxu21 · ‎01-28-2025

@Rob Ingram The connection looks like below, what I try to do is try to ping from the internal network to the sub-interface on the FTD. I can ping all the hosts in the same subnet behind that sub-interface, but just can not ping the sub-interface ip address.

Rob Ingram · ‎01-28-2025

@cxu21 so you are trying to ping the FTD sub-interface the internal network is connected to? that should work, perhaps routing issues either on the switch or FTD - check the routing tables. Can the FTD ping the internal network? Take a packet capture and confirm the ping is received by the FTD. Can the internal network ping through the FTD to something on the other side of the FTD?

If you aren't ping the sub-interace that leads to the internal network then it won't work.

cxu21 · ‎01-28-2025

@Rob Ingram I can ping between any hosts behind different subinterface on the FTD from internal network and can ping the internal network from FTD, just can not ping from internal network to the subinterface ip address.

MHM Cisco World · ‎01-28-2025

I don't see how you config the icmp in platform.

Also are you using trunk between SW and ftd?

MHM

cxu21 · ‎01-28-2025

Yes, the connection between switch and FTD is configured as trunk using port channel for HA purpose. Here is the demo of the configuration.

interface Port-channel11
description To Primary
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk

interface GigabitEthernet1/0/24
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk
auto qos trust dscp
channel-group 11 mode active

Here is the icmp configuration screenshot in platform settings

MHM Cisco World · ‎01-28-2025

Thanks for sharing more detail

In zone/interface do you see subinterface name or interface name connect to internal? If yes select it.

MHM

cxu21 · ‎01-28-2025

I do not see subinterface name in the zone/interface field. I just wonder if I need to configure ARP for that particular subinterface?

MHM Cisco World · ‎01-28-2025

No need,

Can İ see from device mgmt >interface

MHM

cxu21 · ‎01-28-2025

Here is the subinterface configuration. under IPv4, it selects using static with ip address and under Advanced, enable the anti spoofing, the other are default.

MHM Cisco World · ‎01-28-2025

Vlan Id 1 <<- not allow in trunk?

MHM