It wont work if
- Target's firewall drops all outgoing ICMP messages,
- Target's firewall does TTL or full-packet rewriting,
- There's an application layer proxy / load balancer in the way
(Akamai, in-house LBs, etc),
- There's no notable layer 3 infrastructure behind the firewall.
The tool also has a fairly distinctive TCP signature, and as such, it can
be detected by IDS/IPS systems.
Have you tried firewalk ?