Solved: routing Issue [ FTD ]

Abdelrahman salah · ‎01-18-2023

Hi all ,

I've added more subinterfaces over the FTD and set policy [ ANY >> ANY ], but the connection between these subnets is down.

FMC version : 7.0.0

Find the attached files to check the Configuration

manabans · ‎01-18-2023

Ping requires "inspect icmp" to work. Otherwise, the FTD doesn't keep track of the ICMP flows and thus when the ICMP echo reply is received it is not recognized as part of an existing flow and is dropped. Through the FTD CLI, you can enable ICMP:

configure inspection ICMP enable

View solution in original post

manabans · ‎01-18-2023

Ping requires "inspect icmp" to work. Otherwise, the FTD doesn't keep track of the ICMP flows and thus when the ICMP echo reply is received it is not recognized as part of an existing flow and is dropped. Through the FTD CLI, you can enable ICMP:

configure inspection ICMP enable

Marius Gunnerud · ‎01-19-2023

Some very basic questions to start with.

Is the switch interface that connects to the FTD configured as a trunk and are VLAN 2 and 22 permitted on this trunk port?
Are the VLANs configured on the switch?
Are the ports that the PCs are connected configured to be in either VLAN 2 or 22?
Are the FTD sub-interfaces for VLAN 2 and 22 configured correctly? Are the VLAN ID's set correctly?
Are the PCs in VLAN 2 and 22 using the FTD interface IP as their default gateway?
can you ping the hosts on VLAN 2 and 22 from the FTD? Remember to disable or allow ICMP in the local firewall on the PCs
Do you see this traffic in the log on the firewall?
on the FTD issue the command system support firewall-engine-debug and initiate a connection test between the PCs and then check the output of the debug to see if traffic is being allowed.
you can also configure a packet capture on the FTD VLAN 2 and 22 interfaces to also verify you are seeing packets being sent and received on both interfaces.

--
Please remember to select a correct answer and rate helpful posts