Re: Traceroute through FTD vs SLA monitor

atsukane · ‎03-25-2024

Hi All,

I'm trying to allow traceroute through the firewall as per the below doc, however, when I update the Platform Settings to permit traceroute on Inside, Outside and another zone, SLA monitor which is tracking the primary ISP goes down and failover to the secondary ISP. I've set the rate-limit and burst-limit to 3.

Allow Traceroute through Firepower Threat Defense (FTD) - Cisco

The SLA, Track and routing configs below, basically it's monitoring and tracking the primary ISP1's nexthop addresses (1.1.1.1 and 2.2.2.2 in the below example), and if both fails the floating default route would kick in.

#####SLA monitor configuration####

> show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 1.1.1.1
Interface: ISP1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 15
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 2.2.2.2
Interface: ISP1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 15
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

>

####track configuration####

> show track
Track 1
Response Time Reporter 2 reachability
Reachability is Up
112 changes, last change 01:34:05
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Track 2
Response Time Reporter 1 reachability
Reachability is Up
98 changes, last change 2d04h
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
>

####routing####
route ISP1 0.0.0.0 0.0.0.0 192.168.100.1 1 track 1
route ISP1 0.0.0.0 128.0.0.0 192.168.100.1 1 track 2
route ISP1 128.0.0.0 128.0.0.0 192.168.100.1 1 track 2
route ISP2 0.0.0.0 0.0.0.0 192.168.200.1 5

####

The ACP is allowing icmp3 and icmp11 from OUTSIDE zone to the host that I want to allow traceroute. (the destination host does not resides in INSIDE, but a different zone)

I notice that the above Cisco doc says "Caution: Ensure ICMP Destination Unreachable (Type 3) and ICMP Time Exceeded (Type 11) are allowed from Outside to Inside in the ACL policy or Fastpath'ed in Pre-filter policy.", not sure whether this is causing the issue.

Any suggestions are very much appreciated.

Many thanks,

MHM Cisco World · ‎03-25-2024

Ftd mgmt by fmc? If yes in fmc increase little the rate limit of icmp.

I think you hit the limit and hence the ftd drop some icmp which make route down

MHM

atsukane · ‎03-25-2024

hi, yes, the FTDs are FMC managed.

MHM Cisco World · ‎03-25-2024

Devices>Platform Settings>icmp

Rate limit

Increase it little

MHM

atsukane · ‎03-25-2024

Thanks, I'll try that.

I've since found this link as well FTD allow ICMP/traceroute – integrating IT (wordpress.com) which seems to involve more than the Cisco doc, but from the URL it looks like this was written back in 2019 so not all steps stated here may be required.

MHM Cisco World · ‎03-25-2024

If rate not help you then check

Acp is allow icmp destiantion unreachable and icmp time exceeded for traceroute

Add to it icmp reply' I know the traffic toward FTD interface not effect by ACP but let only check.

MHM

MHM Cisco World · ‎03-30-2024

Device>platform setting

Icmp

Add to this list icmp reply

Waiting your reply

Thanks

MHM