Solved: traceroute across fwsm - icmp no matching session

ippolito · ‎02-06-2010

Traceroute fails across fwsm 4.0(6) in transparent mode, with this error:

Denied ICMP type=11, from laddr 10.1.1.1 on interface outside to 10.2.2.2: no matching session

Finally figured out that the fix is to enable icmp inspection (in ASDM: Service Policy Rules -> Inspection_default -> Rule Actions). Wondering why this works, i.e. what does enabling icmp inspection do and will it break anything else or add to the cpu load.

thanks,

Mike

Kureli Sankar · ‎02-06-2010

You probably enabled icmp and icmp error inspection.

ICMP request and response are new connections unlike tcp. Without inspection reply will not be allowed unless you allow it via acl.

For trace to come back you need icmp error inspection as well. As the ICMP control messages may come from a totally diffrent IP address than the destination IP address which was in the initial traceroute destination.

You can read about how traceroute works here: http://www.tek-tips.com/faqs.cfm?fid=381

How to enable traceroute through PIX/ASA/FWSM here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Any inspection if used heavily may elevate the cpu.

-KS

View solution in original post

Kureli Sankar · ‎02-06-2010