Showing results for 
Search instead for 
Did you mean: 

Rising star

Traceroute through FTD Sensor?

Does anyone have an FTD based firewall running, where traceroute through it works ?

In ASA, enabling inspection of icmp/icmp error, allowed traceroute to match icmp replies and allow them, without having to open icmp return packets on the outside interface.

This as far as i can tell, is not the case with FTD, I have no policies allowing any traffic from outside->inside, which is what i wan't. The FTD is not blocking the return packets for http/https or any other regular protocol, however it does seem to be blocking the return icmp packets, it seems like the old-style ASA icmp/icmp error inspection, is not working like it used to.

Anyone having problems with traceroute and FTD also ?


Marvin Rhoads
VIP Community Legend

There is a bug with 6.1, 6.2 (and even the soon-to-be-released 6.2.1) that may apply to your issue:

The Bug description doesn't say so, but you should be able to use FlexConfig on 6.2+ to add the inspect statements back into the configuration.

I filed this bug after verifying in lab. Yes you can use Flex config to add inspects. The bug has been fixed in

dinsharm  ,

Thanks for the update. the BugID needs to be updated to show as a known fixed release.

Unfortunately the fix did not make it in to 6.2.1. Maybe 6.2.2...?

Yes, The fix will be integrated for 6.2.2. We are also trying to get a document out with details. (Specially for FP2100 devices). I will correct the bug fixed versions.

That's great news Dinkar - thanks.

I look forward to 6.2.2.

By the way - fix is confirmed for 6.2.2

... wish I had found this thread earlier. Been bashing my head for quite a few days.
Can anyone confirm this was actually fixed? I'm running on my lab device and the echo reply is still being blocked by the FTD sensor for any hops in the path. It works though for the destination address, but I could then just use a simple ping for that...

I have the same f.... problem investigating the whole day for now... I updated from to because I need the VPN Access, but my feeling is that this version has more problems than the 6.2.0. Also I am actual unable to resolve DNS requests through the ASA. But this might be an another problem...

It's not working for me either.

Here's my working configuration that allows both icmp reachability and proper traceroute output (i.e. with first route at FTD firewall reported) from my setup. Basically icmp is being inspected by default but I needed to add the echo replies (both Windows and Unix style) inbound (a platform setting)  and also set my policy-map to decrement TTL ( a FlexConfig setup).


FlexConfig object.PNGTraceroute platform settings.PNGFlexConfig applied.PNGTraceroute through FTD.PNG

Thank you! ...but ist there a way to apply this on FTD Device Manager directly?

Marvin Rhoads
VIP Community Legend

Sorry but no - FDM does not support FlexConfigs. 


Those are one of several configuration options not supported via FDM. Others include:


dynamic routing

AAA server

multiple local users

certificates (other than the self-signed one)*




redundant interface

SNMP configuration

correlation policy

centralized management of multiple devices


*limited certificate support is now available - no CSR capability.

Thank you again :) haha you have removed the site-to-site VPN from the list, thats correct :)

 ...but I will check that with the certificates double, as I saw an option to upload your own.

Hopefully cisco pushes the development a little bit more for the FTD.




Marvin Rhoads
VIP Community Legend

Thanks Leon for pointing out the certificate bit. I updated my earlier post to correct it.


I had missed that but found it when I dug into my ASA 5506 running FTD with FDM.


It looks like you can upload but need to generate the key off-box (i.e. no Certificate Signing Request capability). So the super simple GUI requires you also be handy with openssl cli to generate a private key and CSR and then send it off to your CA. 


FDM Certificate upload.PNG

Recognize Your Peers
Content for Community-Ad