Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2725
Views
14
Helpful
17
Replies

Unable to ping outside interfaces on FTDs (IOS 7.2.5)

Go to solution
Ditter
Level 4
Level 4

‎02-19-2024 05:28 AM

Hi, never found why i can not ping outside marked interfaces on FTD device although via platform settings this is open.

Please refer to the attached screeshot.

Thanks,

Ditter.

Preview file
62 KB
0 Helpful
1 Accepted Solution

Accepted Solutions
17 Replies 17

Go to solution
MHM Cisco World
VIP
VIP

‎02-19-2024 05:33 AM

From where you are ping ? Is it from PC direct connect to outside and use same subnet as outside interface?

MHM

Go to solution
Ditter
Level 4
Level 4

‎02-19-2024 05:50 AM

Hi , thanks for the  immediate response.

The topology is as follows :  

PC -->  RTR1 <---> FTD <--- OUTSIDE INTERFACE No.1

PC has as GW the RTR1.

RTR1 and FTD communicate through OSPF in area 0.

FTD has one of its outside interfaces in area 1 - so it is an ABR.  The IP that i can not ping is this interface in the FTD. 

The routing table of RTR1 knows through the OSPF running at area 0 where it is this subnet.  It is indicated an inter-area route learned by ospf with the next hop the area 0 FTD interface.

But not able to ping it.

The connection between the RTR1 and the FTD is trunk will all vlans allowed.

Any ideas why i can not ping from the PC the SVI interface on the FTD?

Thanks,

Ditter.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎02-19-2024 05:53 AM

trunk between FTD and Router, are router use subinterface ?
the SVI of Outside tag with which vlan, use that vlan in config subinterface in router 

MHM 

0 Helpful

Go to solution
Ditter
Level 4
Level 4
In response to MHM Cisco World

‎02-19-2024 06:13 AM

I am trying to ping the SVI 26 from another subnet,   SVI 26 is the one in the FTD i am trying to ping from the outside. 

The FTD is on a trunk between the router and a switch.

So to be more precise : 

RTR1 (Cisco 6500) <--Trunk all vlans--SWITCH---Trunk all vlans-->FTD.

Preview file
15 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎02-19-2024 06:18 AM

Can i see the config of 6500 

Show run | sec interface 

Go to solution
Ditter
Level 4
Level 4
In response to MHM Cisco World

‎02-19-2024 06:39 AM

thanks MHM,

but it is not easy for me to share this config.

Actually the 6500 passes all vlans to a third party switch and from that switch there is a trunk with the FTD (again all vlans created and passing through the trunks).

Currently i can ping the backbone area 0 interface of the FTD because it is on same subnet as the 6500.  

In fact i could ping this backbone L3 interface even before manipulating the platform settings of the FTDs.

As i understand till now you are suspecting a routing problem and/or a L2 issue.  

According to my first thread and the config in the Platfrom settings of the FTD if everything was OK i should me able to ping this SVI running on area 1 of the FTD from the outside  (if everything was correct from the L3 perspective) 

Correct?

Thanks,

Ditter.

Go to solution
MHM Cisco World
VIP
VIP
In response to Ditter

‎02-19-2024 07:39 AM

I will share topolgy with some points to check 

Thanks 

MHM

Go to solution
Ditter
Level 4
Level 4
In response to MHM Cisco World

‎02-20-2024 04:00 AM - edited ‎02-20-2024 04:01 AM

Thanks a lot for your drawing!

I understood that the problem was a combination of things.  The user is behind the 6500 , the traffic reached the FTD but there were two outside interfaces and the RPF check in the 6500 stopped the traffic to come back to the user because it received it not from the original interface but from the second one.  When disabled the RPF (which basically shouldn't generally speaking to be disabled) the traffic returned back to the client.

Again , thanks for your help.

Ditter.

Go to solution
Karsten Iwen
VIP
VIP
In response to Ditter

‎02-19-2024 07:04 AM

It is by design on the  FTD (same forever with the ASA) that a remote interface can not be pinged. You only can ping the interface on which the echo request enters the device. There is one exception for VPNs, but that is not relevant to your setup.

Go to solution
Aref Alsouqi
VIP
VIP

‎02-19-2024 09:15 AM

I agree with @Karsten Iwen, if you try to ping an interface on an FTD or an ASA from an opposite interface, that traffic will never be successful. For example, if you try to ping the FTD outside interface coming from inside it won't work, same concept applies to any other interfaces. This had been always the case, and it seems to be by design or a flaw on the original design, but the end result is that it won't work. :-).

Go to solution
Ditter
Level 4
Level 4
In response to Aref Alsouqi

‎02-19-2024 10:18 AM

Thanks Aref and @karsb 

but what is the meaning of the icmp menu in platform settings?  Is it only for outside networks to be able to ping outside interfaces of the FTD device?  Please see attached png.

Preview file
57 KB
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Ditter

‎02-19-2024 11:15 AM

This is to control every aspect of ICMP handling on that interface. Be careful, it works like an ACL with an implicit deny at the end.

Go to solution
Ditter
Level 4
Level 4
In response to Karsten Iwen

‎02-19-2024 11:48 AM

Thanks, i am trying something simple (i think).

I am trying to ping the outside interface of an FTD  from a pc behind a third  router.

Routing works, i can see the FTD subnet (this outside zone interface) as ospf route in the routing table of the third router,  but ping from the PC fails.

ICMP is permitted in platform settings.

Thanks,

 

Ditter.

Preview file
62 KB
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card