Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

traceroute across fwsm - icmp no matching session

Traceroute fails across fwsm 4.0(6) in transparent mode, with this error:

Denied ICMP type=11, from laddr 10.1.1.1 on interface outside to 10.2.2.2: no matching session

Finally figured out that the fix is to enable icmp inspection (in ASDM:  Service Policy Rules -> Inspection_default -> Rule Actions).  Wondering why this works, i.e. what does enabling icmp inspection do and will it break anything else or add to the cpu load.

thanks,

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: traceroute across fwsm - icmp no matching session

You probably enabled icmp and icmp error inspection.

ICMP request and response are new connections unlike tcp.  Without inspection reply will not be allowed unless you allow it via acl.

For trace to come back you need icmp error inspection as well. As the ICMP control messages may come from a totally diffrent IP address than the destination IP address which was in the initial traceroute destination.

You can read about how traceroute works here: http://www.tek-tips.com/faqs.cfm?fid=381

How to enable traceroute through PIX/ASA/FWSM here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Any inspection if used heavily may elevate the cpu.

-KS

2 REPLIES
Cisco Employee

Re: traceroute across fwsm - icmp no matching session

You probably enabled icmp and icmp error inspection.

ICMP request and response are new connections unlike tcp.  Without inspection reply will not be allowed unless you allow it via acl.

For trace to come back you need icmp error inspection as well. As the ICMP control messages may come from a totally diffrent IP address than the destination IP address which was in the initial traceroute destination.

You can read about how traceroute works here: http://www.tek-tips.com/faqs.cfm?fid=381

How to enable traceroute through PIX/ASA/FWSM here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Any inspection if used heavily may elevate the cpu.

-KS

New Member

Re: traceroute across fwsm - icmp no matching session

Thanks for the information, much appreciated.

Mike

8743
Views
4
Helpful
2
Replies