Cisco FirePOWER SFR Module Cannot Ping

Advertisement

KB ID 0001174 Dtd 10/04/16

Problem

On a newly deployed FirePOWER service module I wanted to test connectivity and attempted to ping a public IP address. This is what happened;

> expert  admin@Petes-SFR:~$ ping 8.8.8.8  ping: icmp open socket: Operation not permitted

My first though was, "Well you have to set a default gateway on the SFR when you set it up, so the firewall is probably blocking ICMP". So I checked the default policy and indeed there was no ICMP inspection turned on.

ASA default inspection map

Well that's easy to fix, (Note: The decrement-ttl-tcl isn't really needed, I do that to make tracerts work).

Petes-FW(config)# policy-map global_policy
Petes-FW(config-pmap)# class inspection_default
Petes-FW(config-pmap-c)# inspect icmp
Petes-FW(config-pmap-c)# class class-default
Petes-FW(config-pmap-c)# set connection decrement-ttl
Petes-FW(config-pmap-c)# exit
Petes-FW(config-pmap)# exit
Petes-FW(config)# write mem
Building configuration...
Cryptochecksum: ae83c992 52a79538 b8370d6f 36125070

3120 bytes copied in 0.290 secs
[OK]
Petes-FW(config)#

Unfortunately it still didn't work!

 

Solution

Some forum searching yielded the same error on other flavours of Linux, the fix there was to change some permissions, so I gave that a try, and it worked.

admin@Petes-SFR:~$ sudo chmod u+s /bin/ping

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:{Your-SFR-Admin-Password}
admin@Petes-SFR:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=52 time=12.8 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=52 time=13.7 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=52 time=12.6 ms
64 bytes from 8.8.8.8: icmp_req=4 ttl=52 time=13.2 ms

 

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

2 Comments

  1. Hi there.
    Actually you can ping also directly from CLISH mode ‘system support ping x.x.x.x’. This tip has been given by the cisco support team 🙂
    Thnak you for your messages though, they have been of great help for my starting connfiguration of the SFR Module !

    Post a Reply
    • Thanks for the feedback!

      P

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *