Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
802
Views
5
Helpful
2
Replies

routing Issue [ FTD ]

Go to solution
Abdelrahman salah
Level 1
Level 1

‎01-18-2023 05:15 PM

 

Hi all , 

I've added more subinterfaces over the FTD and set policy  [ ANY >> ANY ], but the connection between these subnets is down.

FMC version : 7.0.0 

Find the attached files to check the Configuration 

 

Abdelrahmansalah_0-1674088824888.png

Abdelrahmansalah_1-1674088937044.png

Abdelrahmansalah_2-1674089064958.png

Abdelrahmansalah_3-1674090203441.png

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
manabans
Cisco Employee
Cisco Employee

‎01-18-2023 05:59 PM

Ping requires "inspect icmp" to work. Otherwise, the FTD doesn't keep track of the ICMP flows and thus when the ICMP echo reply is received it is not recognized as part of an existing flow and is dropped. Through the FTD CLI, you can enable ICMP:

configure inspection ICMP enable 

View solution in original post

2 Replies 2

Go to solution
manabans
Cisco Employee
Cisco Employee

‎01-18-2023 05:59 PM

Ping requires "inspect icmp" to work. Otherwise, the FTD doesn't keep track of the ICMP flows and thus when the ICMP echo reply is received it is not recognized as part of an existing flow and is dropped. Through the FTD CLI, you can enable ICMP:

configure inspection ICMP enable 

Go to solution
Marius Gunnerud
VIP
VIP

‎01-19-2023 01:52 AM

Some very basic questions to start with.

  • Is the switch interface that connects to the FTD configured as a trunk and are VLAN 2 and 22 permitted on this trunk port?
  • Are the VLANs configured on the switch?
  • Are the ports that the PCs are connected configured to be in either VLAN 2 or 22?
  • Are the FTD sub-interfaces for VLAN 2 and 22 configured correctly? Are the VLAN ID's set correctly?
  • Are the PCs in VLAN 2 and 22 using the FTD interface IP as their default gateway?
  • can you ping the hosts on VLAN 2 and 22 from the FTD? Remember to disable or allow ICMP in the local firewall on the PCs
  • Do you see this traffic in the log on the firewall?
  • on the FTD issue the command system support firewall-engine-debug and initiate a connection test between the PCs and then check the output of the debug to see if traffic is being allowed.
  • you can also configure a packet capture on the FTD VLAN 2 and 22 interfaces to also verify you are seeing packets being sent and received on both interfaces.

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Review Cisco Networking for a $25 gift card
Top