We upgraded our PIXs to 7.0(2) and now cannot see intermediate hops with a traceroute to outside. As a work around I enabled inpect icmp error. This resolved the traceroute but stopped PMTU working (we need PMTU for sessions going via a VPN) so I had to remove it.
I have the following icmp access enabled:
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo-reply
I can see the time exceededs being sent back but the PIX stops them:
ICMP: time exceeded (time to live) sent to x.x.x.x (dest was x.x.x.x)
Re: Pix 7.0 and traceroute failing intermediate hops
In 7.0 you need the "inspect icmp error" command in the global service-policy for traceroutes to work. This should not be breaking PMTUD though, so we need to look at that further.
Did you get any icmp debugs off the PIX when PMTUD was not working? Can you use the capture command in the PIX on both the interfaces that the traffic traverses to see if the packets are getting dropped?
I see you opened case 602164577 on this that mentions only VPN traffic is affected, but there's no VPN configured on your PIX, so can you explain a bit about the setup you have here? Did you remove the access-list on the interface (the one that allows ICMP Unreachables) after configuring the "inspect icmp error"? What if you leave the access-list in place, in addition to the inspect icmp, do both PMTUD and traceroute then work?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :