icmp/echo denied after upgrade to ASA 9.4(3)8

mvanbennekom · ‎09-05-2016

After upgrade from ASA 9.4(2)6 to 9.4(3)8 ASA5515-X the icmp/echo was denied (%ASA-4-106023) to all servers from the Internet.
All our firewall-rules are based on the translated (inside) addresses.
After the update I had to change all the icmp/echo rules to allow traffic to the outside Internet-addresses to get icmp/echo working again.
Lucky enough all the TCP/UDP rules from the Internet-access-list with the normal inside addresses kept working so we didn't have a real production outage.
Anyone else with this experience? Why is this changed or could it be a bug?

Thanks and regards
Menno van Bennekom

Aditya Ganjoo · ‎09-05-2016

Hi,

Was your icmp inspection still in place after the upgarde ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

mvanbennekom · ‎09-06-2016

Hi Aditya,

There was no 'inspect icmp' before or after the upgrade, I compared both configs with 'show run all'. By the way this is about incoming traffic (from the Internet to the DMZ).

Maybe using inspect helps but then it's strange that this wasn't needed before..

Regards

Menno

mvanbennekom · ‎09-30-2016

This now has been solved in version 9.4(3)11:

CSCva68987 ASA drops ICMP request packets when ICMP inspection is disabled