Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
3
Helpful
5
Replies

ICMP thru FWSM

fauresr
Level 1
Level 1

‎06-25-2007 02:15 PM - edited ‎03-11-2019 03:35 AM

Hi,

we have a set of FWSM running 3.2(1)

Rules are set to allow ICMP both inbound and outbound.

However traceroute gives some unexpected results, half of the hosts do not respond. It also produces the following message in the log.

%FWSM-4-313004:Denied ICMP type=icmp_type, from source_address oninterface interface_name to dest_address:no matching session

ICMP packets were dropped by the security appliance because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the security appliance or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the security appliance.

Any idea what can I do to fix this. I am not worried about the syslog message, I can always filter these out. But I need reliable traceroute.

Thank you,

Remy

Labels:
0 Helpful
5 Replies 5

Kmageshkumar
Level 1
Level 1

‎07-14-2007 09:38 PM

Hi,

Can you please try configuring the inspection for the icmp_error and please let me know if this fix your problem.Also don't forget have icmp allow ACL's from source to destination in dual direction.

Regards,

Magesh

0 Helpful

fauresr
Level 1
Level 1
In response to Kmageshkumar

‎07-15-2007 04:55 PM

Hi,

I set icmp and icmp error inspection, ALCs allow icmp from source to destination.

Still, traceroute traffic get somewhat disrupted. It is also inconsistent. Several attempts few minutes appart do not lead to the same result.

I talked to TAC about this, and was informed of a bug ID. Expected to be addressed in next release.

Remy

0 Helpful

Kmageshkumar
Level 1
Level 1
In response to fauresr

‎07-15-2007 07:20 PM

Hi,

Thanks for the update.please let us know what is the current version used and the bug ID and also what new version TAC suggested.This would be helpful.

0 Helpful

fauresr
Level 1
Level 1
In response to Kmageshkumar

‎07-16-2007 07:45 AM

Our FWSM is currenlty running version 3.2(1)

The bug ID TAC gave me is: CSCsj53485

From what I was told, this affects version 3.1(5) and 3.1(6) and will be addressed in 3.1(7)

It seems it also affects 3.2(1) and will be addressed in 3.2(2)

I do not have a timeframe for resolution.

Regards,

Remy

Kmageshkumar
Level 1
Level 1
In response to fauresr

‎07-18-2007 07:44 PM

Thanks for your detailed update.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card