This document describes the configuration to allow the traceroute through Firepower Threat Defense (FTD)
Cisco recommends that you have knowledge of these topics:
Firepower Management Center (FMC)
Firepower Threat Defense (FTD)
The information in this document is based on these software and hardware versions:
This article is applicable to all Firepower platforms
Cisco Firepower Threat Defense (FTD) which runs software version 6.4.0
Cisco Firepower Management Center Virtual (FMC) which runs software version 6.4.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Traceroute to help you to determine the route that packets take to their destination. A traceroute works by sending UDP packets to a destination on an invalid port. Because the port is not valid, the routers along the way to the destination respond with an ICMP Time Exceeded Message and report that error to the ASA.
The traceroute shows the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. This table explains the output symbols.
No response was received for the probe within the timeout period.
For each node, the round-trip time (in milliseconds) for the specified number of probes.
ICMP network is unreachable.
ICMP host is unreachable.
ICMP administratively prohibited.
Unknown ICMP error.
By default, the ASA does not appear on traceroutes as a hop. To make it appear, you need to decrement the time-to-live on packets that pass through the ASA and increase the rate limit on ICMP unreachable messages.
Caution: If you decrement time to live, packets with a TTL of 1 are dropped, but a connection is opened for the session on the assumption that the connection might contain packets with a greater TTL. Note that some packets, such as OSPF hello packets, are sent with TTL = 1, so decrementing time to live can have unexpected consequences. Keep these considerations in mind when defining your traffic class.
Step 1. Create the extended ACL that defines the traffic class for which traceroute reporting needs to be enabled.
Login to FMC GUI and navigate to Objects > Object Management > Access List. Select Extended from the table of contents and Add a new Extended Access List.Enter a Name for the object, for example, Under Traceroute_ACL,Add a rule to permit the interested traffic and save it, as shown in the image:
Step 2. Configure the service policy rule that decrements the time-to-live value.
Navigate to Policies > Access Control and then Edit the policy assigned to the device. Under the Advanced tab, Edit the Threat Defense Service Policy and then Add a new rule from Add Rule tab then select the Global checkbox to apply it globally and click Next, as shown in the image:
Navigate to Traffic Flow> Extended Access List and then choose Extended Access List Object from the Dropdown menu which was created in previous steps. Now click Next, as shown in the image:
Select the Enable Decrement TTL checkbox and modify the other connection options (Optional). Now click Finish to add the rule and then click OK and Save the changes to the Threat defence service policy, as shown in the image:
Once the previous steps are completed, Ensure to save the Access Control Policy.
Step 3. Increase the rate limit on ICMP unreachable messages (optional).
Navigate to Devices > Platform Settings and then Edit or Create a new Firepower Threat Defense platform settings policy and associate it to the device. Now Select ICMP from the table of content and Increase the Rate Limit, for example, to 50 (You can ignore the Burst Size) and then click Save and proceed to Deploy the Policy to the device, as shown in the image:
Caution: Ensure ICMP Destination Unreachable (Type 3) and ICMP Time Exceeded (Type 11) are allowed from Outside to Inside in the ACL policy or Fastpath'ed in Pre-filter policy.
Check the configuration from FTD CLI once policy deployment is complete:
FTD# show run policy-map
policy-map type inspect dns preset_dns_map
set connection timeout idle 1:00:00
set connection decrement-ttl
FTD# show run class-map
match access-list Traceroute_ACL
FTD# show run access-l Traceroute_ACL
access-list Traceroute_ACL extended permit object-group ProxySG_ExtendedACL_30064773500 any any log
You can take captures on FTD Ingress and Egress interfaces for the interesting traffic to further troubleshoot the issue.
Tip: CSCvq79913, ICMP error packets being dropped for Null pdts_info, ensure to use the prefilter for ICMP preferably for the type 3 and 11 return traffic.