we have a set of FWSM running 3.2(1)
Rules are set to allow ICMP both inbound and outbound.
However traceroute gives some unexpected results, half of the hosts do not respond. It also produces the following message in the log.
%FWSM-4-313004:Denied ICMP type=icmp_type, from source_address oninterface interface_name to dest_address:no matching session
ICMP packets were dropped by the security appliance because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the security appliance or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the security appliance.
Any idea what can I do to fix this. I am not worried about the syslog message, I can always filter these out. But I need reliable traceroute.