Solved: Still can't traceroute through FTD (6.2.3.2)

peter0023 · ‎09-18-2018

Hi all

I have FTD 2130 version 6.2.3.2 , I'm facing that server trace e.g. 8.8.8.8 always show *

I had read many articles , I had tried

1. set policy from outside to inside allow icmp all

2. add flexconfig with

policy-map global_policy
class class-default
set connection decrement-ttl

still not working , someone can help me to fix it? thanks a lot

=============update======================

I fixed this issue , thanks.....

peter0023 · ‎09-18-2018

Are you serious?
Just traceroute not working, others are working

Any better ideal ? thanks

=======update=======

I fixed , thanks all

View solution in original post

Marvin Rhoads · ‎09-18-2018

Here are the key commands I have on my FTD for traceroute functionality. Check your config against this and let me know if you see any discrepancies.

> show running-config policy-map global_policy
!
policy-map global_policy
 class inspection_default
  <snipped irrelevant bits>
  inspect icmp 
  inspect icmp error 
 class class-default
  <snipped irrelevant bits>
  set connection decrement-ttl

> show running-config | include icmp permit
icmp permit any time-exceeded <nameif of your outside interface>
icmp permit any unreachable <nameif of your outside interface>
>

peter0023 · ‎09-18-2018

hi sir ,
thank you for reply
here is my config

> show running-config policy-map global_policy
!
policy-map global_policy
class inspection_default
.......
inspect icmp error
inspect icmp
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
set connection decrement-ttl
!
> show running-config | include icmp permit
icmp permit any unreachable Internet_att
icmp permit any time-exceeded Internet_att

the config are the same , but still not working , what's wrong >< please help me.
thanks.

Marvin Rhoads · ‎09-18-2018

Can you confirm that the FTD inside address is your default gateway?

If there was another firewall in the path first that could cause the issue.

peter0023 · ‎09-18-2018

hi sir
thanks , in our scenario there is only one FTD , so server's gateway is FTD.
scenario:
server1-----|
server2-------- SW ----FDT
server3-----| 　　|-------------isp

is there have another need check ? thanks

Marvin Rhoads · ‎09-18-2018

Are connections other than traceroute working?

Something such as web browsing (tcp/80 or 443)?

peter0023 · ‎09-18-2018

Are you serious?
Just traceroute not working, others are working

Any better ideal ? thanks

=======update=======

I fixed , thanks all

Mysticspiral · ‎01-28-2019

What was the fix?

Mohammed al Baqari · ‎09-18-2018

Go to system support diag in FTD CLI. From there issue the command sh run
access-l and post the output

peter0023 · ‎09-18-2018

hi , please refer

> show running-config access-group
access-group CSM_FW_ACL_ global
> show running-config access-list
access-list CSM_FW_ACL_ remark rule-id 268440659: ACCESS POLICY: default - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268440659: L7 RULE: icmp-test
access-list CSM_FW_ACL_ advanced permit icmp any any unreachable rule-id 268440659
access-list CSM_FW_ACL_ advanced permit icmp any any time-exceeded rule-id 268440659

access-list CSM_FW_ACL_ remark rule-id 268435473: ACCESS POLICY: default - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435473: L7 RULE: Prod Servers_Internet
access-list CSM_FW_ACL_ advanced permit ip ifc frontend object 10.13.0.0_16 ifc Internet_att object 0.0.0.0_0 rule-id 268435473

Mohammed al Baqari · ‎09-18-2018

I don't see echo replay allowed in your ACLs. You need it in addition to
unreachable and time-exceeded

peter0023 · ‎09-18-2018

still not working
access-list CSM_FW_ACL_ remark rule-id 268440659: ACCESS POLICY: default - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268440659: L7 RULE: icmp-test
access-list CSM_FW_ACL_ advanced permit icmp any any unreachable rule-id 268440659
access-list CSM_FW_ACL_ advanced permit icmp any any time-exceeded rule-id 268440659
access-list CSM_FW_ACL_ advanced permit icmp any any echo-reply rule-id 268440659

Actually , I also set a policy on the top which is
access-list CSM_FW_ACL_ remark rule-id 268440657: ACCESS POLICY: default - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268440657: L7 RULE: Traceroute
access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268440657

All are not working.....

Mohammed al Baqari · ‎09-18-2018

Add inspect icmp and icmp error to your default inspection policy

owen75522 · ‎09-18-2018

请提供 Tracroute 结果让我们参考一下.

peter0023 · ‎09-18-2018

hi , please refer

C:\Users\Administrator>tracert -d 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 14 ms 14 ms 14 ms 8.8.8.8
Trace complete.

Any idea ?