https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352976#M924213 <P>Hi team,</P> <P>&nbsp;</P> <P>I'm simulating packet tracer before putting my FTD on production:</P> <P>&nbsp;</P> <P>But when sending a packet from a Lan machine to google :</P> <P>&nbsp;</P> <P>I get always this result :</P> <P>&nbsp;</P> <P>Result:</P> <P>input-interface: inside</P> <P>input-status: up</P> <P>input-line-status: up</P> <P>output-interface: outside</P> <P>output-status: up</P> <P>output-line-status: up</P> <P>Action: drop</P> <P>Drop-reason: (no-adjacency) No valid adjacency<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="X10.png" style="width: 916px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/9257i1056ED7465405AE5/image-size/large?v=v2&amp;px=999" role="button" title="X10.png" alt="X10.png" /></span></P> <P>&nbsp;</P> <P>Does any one knows if this message (<SPAN>Drop-reason: (no-adjacency) No valid adjacency) means a NAT problem or routing problem ?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> Fri, 21 Feb 2020 15:32:58 GMT sam cook 2020-02-21T15:32:58Z https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352976#M924213 <P>Hi team,</P> <P>&nbsp;</P> <P>I'm simulating packet tracer before putting my FTD on production:</P> <P>&nbsp;</P> <P>But when sending a packet from a Lan machine to google :</P> <P>&nbsp;</P> <P>I get always this result :</P> <P>&nbsp;</P> <P>Result:</P> <P>input-interface: inside</P> <P>input-status: up</P> <P>input-line-status: up</P> <P>output-interface: outside</P> <P>output-status: up</P> <P>output-line-status: up</P> <P>Action: drop</P> <P>Drop-reason: (no-adjacency) No valid adjacency<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="X10.png" style="width: 916px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/9257i1056ED7465405AE5/image-size/large?v=v2&amp;px=999" role="button" title="X10.png" alt="X10.png" /></span></P> <P>&nbsp;</P> <P>Does any one knows if this message (<SPAN>Drop-reason: (no-adjacency) No valid adjacency) means a NAT problem or routing problem ?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> Fri, 21 Feb 2020 15:32:58 GMT https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352976#M924213 sam cook 2020-02-21T15:32:58Z https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352991#M924214 <P>Generally that would be a routing issue. Although since your target is a FQDN it could also be DNS lookup. Substitute a target public IP to rule that out.</P> <P>&nbsp;</P> <P>Have you configured a default route on the device?</P> Thu, 22 Mar 2018 10:18:35 GMT https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352991#M924214 Marvin Rhoads 2018-03-22T10:18:35Z https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352995#M924215 <P>Thank you Marvin ,</P> <P>&nbsp;</P> <P>In fact I found the issue :</P> <P>&nbsp;</P> <P>seen that I'm testing this outside the production , the FTD did not find the mac adress of next hop.</P> <P>&nbsp;</P> <P>So i think when i will put it in production , it will resolve the mac adress and packet will be allowed.</P> <P>&nbsp;</P> <P>regards,</P> Thu, 22 Mar 2018 10:33:39 GMT https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/3352995#M924215 sam cook 2018-03-22T10:33:39Z https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/4057354#M1068617 <P>◄ I have same issue ►</P><P>packet-tracer input inside icmp 70.1.2.2 8 0 172.16.111.100</P><P>&nbsp;</P><P>Phase: 13<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.111.100 using egress ifc outside</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P><P>&nbsp;</P><P>==========[ fix ]&nbsp;==========</P><P>&nbsp;</P><P>no xlate per-session deny tcp any4 any4<BR />no xlate per-session deny tcp any4 any6<BR />no xlate per-session deny tcp any6 any4<BR />no xlate per-session deny tcp any6 any6<BR />no xlate per-session deny udp any4 any4 eq domain<BR />no xlate per-session deny udp any4 any6 eq domain<BR />no xlate per-session deny udp any6 any4 eq domain<BR />no xlate per-session deny udp any6 any6 eq domain</P><P>&nbsp;</P><P>========[ verification ]&nbsp;========</P><P>&nbsp;</P><P>Phase: 13<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 192.168.201.111 using egress ifc outside</P><P>Phase: 14<BR />Type: ADJACENCY-LOOKUP<BR />Subtype: next-hop and adjacency<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />adjacency Active<BR />next-hop mac address 5254.0094.9ec5 hits 31930 reference 3</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P><P>&nbsp;</P><P>Kind Regards,</P><P>Hossam</P> Thu, 02 Apr 2020 04:16:36 GMT https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/4057354#M1068617 hossam helal 2020-04-02T04:16:36Z https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/4057358#M1068618 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; This is either a bug, either there is no valid adjacency (IP-to-MAC binding) for the next-hop.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 02 Apr 2020 04:34:27 GMT https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/4057358#M1068618 Cristian Matei 2020-04-02T04:34:27Z https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/4059580#M1068809 <P>Hi,</P><P>I use that version</P><P>&nbsp;</P><P>ASA# show version</P><P>Cisco Adaptive Security Appliance Software Version 9.9(1)<BR />Firepower Extensible Operating System Version 2.3(1.54)<BR />Device Manager Version 7.9(1)</P><P>Compiled on Thu 30-Nov-17 20:21 PST by builders<BR />System image file is "boot:/asa991-smp-k8.bin"<BR />Config file at boot was "startup-config"</P><P>ASA up 2 hours 24 mins</P><P>Hardware: ASAv, 4096 MB RAM, CPU Pentium II 1699 MHz, 1 CPU (2 cores)<BR />Model Id: ASAv30<BR />Internal ATA Compact Flash, 129024MB<BR />Slot 1: ATA Compact Flash, 129024MB<BR />BIOS Flash Firmware Hub @ 0x0, 0KB</P><P><BR />0: Ext: Management0/0 : address is 5254.003c.3c2c, irq 11<BR />1: Ext: GigabitEthernet0/0 : address is 5254.a4a4.0f4e, irq 11<BR />2: Ext: GigabitEthernet0/1 : address is 5254.b1b1.0ee7, irq 10</P><P>License mode: Smart Licensing<BR />ASAv Platform License State: Unlicensed</P><P>&nbsp;</P><P>◄================================== ►</P><P>&nbsp;</P><P>&nbsp;</P><P>◄================[config: -]================== ►</P><P>access-list OUTSIDE_INBOUND extended permit icmp any any</P><P>&nbsp;</P><P>icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any echo outside<BR />icmp permit any echo-reply outside<BR />icmp permit any outside<BR />icmp permit any echo inside<BR />icmp permit any echo-reply inside<BR />icmp permit any inside</P><P>&nbsp;</P><P>access-group OUTSIDE_INBOUND in interface outside<BR />access-group OUTSIDE_INBOUND out interface outside<BR />access-group OUTSIDE_INBOUND in interface inside<BR />access-group OUTSIDE_INBOUND out interface inside</P><P>&nbsp;</P><P>&nbsp;</P><P>policy-map global_policy<BR />class inspection_default<BR />inspect icmp<BR />inspect icmp error</P><P>&nbsp;</P><P><BR />no xlate per-session deny tcp any4 any4<BR />no xlate per-session deny tcp any4 any6<BR />no xlate per-session deny tcp any6 any4<BR />no xlate per-session deny tcp any6 any6<BR />no xlate per-session deny udp any4 any4 eq domain<BR />no xlate per-session deny udp any4 any6 eq domain<BR />no xlate per-session deny udp any6 any4 eq domain<BR />no xlate per-session deny udp any6 any6 eq domain</P><P>&nbsp;</P><P>may be we should open bug with cisco</P><P>&nbsp;</P><P>Regards,</P><P>Hossam</P> Mon, 06 Apr 2020 04:59:56 GMT https://community.cisco.com/t5/network-security/ftd-failed-simulation-drop-reason-no-adjacency-no-valid/m-p/4059580#M1068809 hossam helal 2020-04-06T04:59:56Z