traceroute across fwsm - icmp no matching session

Answered Question
Feb 6th, 2010

Traceroute fails across fwsm 4.0(6) in transparent mode, with this error:

Denied ICMP type=11, from laddr 10.1.1.1 on interface outside to 10.2.2.2: no matching session

Finally figured out that the fix is to enable icmp inspection (in ASDM:  Service Policy Rules -> Inspection_default -> Rule Actions).  Wondering why this works, i.e. what does enabling icmp inspection do and will it break anything else or add to the cpu load.

thanks,

Mike

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 11 months ago

You probably enabled icmp and icmp error inspection.

ICMP request and response are new connections unlike tcp.  Without inspection reply will not be allowed unless you allow it via acl.

For trace to come back you need icmp error inspection as well. As the ICMP control messages may come from a totally diffrent IP address than the destination IP address which was in the initial traceroute destination.

You can read about how traceroute works here: http://www.tek-tips.com/faqs.cfm?fid=381

How to enable traceroute through PIX/ASA/FWSM here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Any inspection if used heavily may elevate the cpu.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Kureli Sankar Sat, 02/06/2010 - 09:47

You probably enabled icmp and icmp error inspection.

ICMP request and response are new connections unlike tcp.  Without inspection reply will not be allowed unless you allow it via acl.

For trace to come back you need icmp error inspection as well. As the ICMP control messages may come from a totally diffrent IP address than the destination IP address which was in the initial traceroute destination.

You can read about how traceroute works here: http://www.tek-tips.com/faqs.cfm?fid=381

How to enable traceroute through PIX/ASA/FWSM here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Any inspection if used heavily may elevate the cpu.

-KS

Actions

This Discussion