Traceroute fails across fwsm 4.0(6) in transparent mode, with this error:
Denied ICMP type=11, from laddr 10.1.1.1 on interface outside to 10.2.2.2: no matching session
Finally figured out that the fix is to enable icmp inspection (in ASDM: Service Policy Rules -> Inspection_default -> Rule Actions). Wondering why this works, i.e. what does enabling icmp inspection do and will it break anything else or add to the cpu load.
You probably enabled icmp and icmp error inspection.
ICMP request and response are new connections unlike tcp. Without inspection reply will not be allowed unless you allow it via acl.
For trace to come back you need icmp error inspection as well. As the ICMP control messages may come from a totally diffrent IP address than the destination IP address which was in the initial traceroute destination.
You can read about how traceroute works here: http://www.tek-tips.com/faqs.cfm?fid=381
How to enable traceroute through PIX/ASA/FWSM here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Any inspection if used heavily may elevate the cpu.