Symptom
ICMP TTL exceeded packet dropped by ZBFW with drop reason "ICMP policy drop:classify result"
CSR1000v-1#debug plat condition startform packet-trace copy pack both size 2048packet 1024 fia-trace cir show platform hardware qfp active feature firewall drop clear
-------------------------------------------------------------------------------
Drop Reason Packets
-------------------------------------------------------------------------------
ICMP policy drop:classify result 2
Conditions
Issue is first seen using TCP based trace route through IOS-XE 16.09.03 using ThousandEyes utility along with nat.
Workaround
none at this time
Further Problem Description
The issue has been reproduced using tracetcp.exe utility. DE's have resolved this issue on the NAT side
