03-25-2024 05:05 AM
Hi All,
I'm trying to allow traceroute through the firewall as per the below doc, however, when I update the Platform Settings to permit traceroute on Inside, Outside and another zone, SLA monitor which is tracking the primary ISP goes down and failover to the secondary ISP. I've set the rate-limit and burst-limit to 3.
Allow Traceroute through Firepower Threat Defense (FTD) - Cisco
The SLA, Track and routing configs below, basically it's monitoring and tracking the primary ISP1's nexthop addresses (1.1.1.1 and 2.2.2.2 in the below example), and if both fails the floating default route would kick in.
#####SLA monitor configuration####
> show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 1.1.1.1
Interface: ISP1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 15
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 2.2.2.2
Interface: ISP1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 15
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
>
####track configuration####
> show track
Track 1
Response Time Reporter 2 reachability
Reachability is Up
112 changes, last change 01:34:05
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Track 2
Response Time Reporter 1 reachability
Reachability is Up
98 changes, last change 2d04h
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
>
####routing####
route ISP1 0.0.0.0 0.0.0.0 192.168.100.1 1 track 1
route ISP1 0.0.0.0 128.0.0.0 192.168.100.1 1 track 2
route ISP1 128.0.0.0 128.0.0.0 192.168.100.1 1 track 2
route ISP2 0.0.0.0 0.0.0.0 192.168.200.1 5
####
The ACP is allowing icmp3 and icmp11 from OUTSIDE zone to the host that I want to allow traceroute. (the destination host does not resides in INSIDE, but a different zone)
I notice that the above Cisco doc says "Caution: Ensure ICMP Destination Unreachable (Type 3) and ICMP Time Exceeded (Type 11) are allowed from Outside to Inside in the ACL policy or Fastpath'ed in Pre-filter policy.", not sure whether this is causing the issue.
Any suggestions are very much appreciated.
Many thanks,
03-25-2024 08:37 AM
Ftd mgmt by fmc? If yes in fmc increase little the rate limit of icmp.
I think you hit the limit and hence the ftd drop some icmp which make route down
MHM
03-25-2024 09:50 AM
hi, yes, the FTDs are FMC managed.
03-25-2024 09:55 AM
Devices>Platform Settings>icmp
Rate limit
Increase it little
MHM
03-25-2024 09:59 AM
Thanks, I'll try that.
I've since found this link as well FTD allow ICMP/traceroute – integrating IT (wordpress.com) which seems to involve more than the Cisco doc, but from the URL it looks like this was written back in 2019 so not all steps stated here may be required.
03-25-2024 10:08 AM - edited 03-25-2024 10:09 AM
If rate not help you then check
Acp is allow icmp destiantion unreachable and icmp time exceeded for traceroute
Add to it icmp reply' I know the traffic toward FTD interface not effect by ACP but let only check.
MHM
03-30-2024 10:46 AM
Device>platform setting
Icmp
Add to this list icmp reply
Waiting your reply
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide