Re: ASA 5516 initial build - Failed to locate egress interface (Please help :-) )

broadleon · ‎06-26-2020

Hi

We want all the traffic including the internet traffic to go thought the inside interface of the firewall once a vpn connection is established. However I am having a hard time with the vpn anyconnect client reciving a DHCP address from the dhcp server on the inside interface. I see the request from the ASA on the dhcp server but the return traffic is lost.

Error on the asa shows as:

Failed to locate egress interface for UDP from Inside:10.92.60.102/67 to 10.200.211.0/67

Routes

route Outside 0.0.0.0 0.0.0.0 62.7.75.233 1
route Inside 10.92.60.102 255.255.255.255 10.200.10.254 1
route Inside 10.255.255.101 255.255.255.255 10.200.10.254 1
route Inside 0.0.0.0 0.0.0.0 10.200.10.254 tunneled

nat (Inside,Inside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool route-lookup

Rob Ingram · ‎06-26-2020

Hi,
I assume the RAVPN ASA not the default gateway for the internal network which the DHCP server is connected to and the RAVPN traffic will be routed via another FW?
Do you have a route to the RAVPN network on the core switch routing traffic to the RAVPN ASA?

broadleon · ‎06-26-2020

Yes, the VPN is coming in from another network, DHCP is many networks away. routers in between know how to return the traffic back.

Rob Ingram · ‎06-26-2020

RAVPN traffic always originates from the "outside" interface, in your NAT rule above you've specified the destination interface as "inside". Amend and try again.
Run a packet capture, to/from the DHCP server and provide the output.

broadleon · ‎06-26-2020

I have changed the nat to the following

Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool
translate_hits = 2, untranslate_hits = 2

The egress issue has disappeared but no dhcp for the vpn user. But im confused as to whether the DHCP request is coming from the ASA or from the vpn network?

on the dhcp server i see requests from both the inside interface 10.200.10.2 and the vpn network 10.200.211.0

Result of the command: "packet-tracer input inside udp 10.92.60.102 67 10.200.211.0 67"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.211.0/67 to 10.200.211.0/67

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit udp host 10.92.60.102 object Obj-AnyconnectPool eq bootps
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool
Additional Information:
Static translate 10.92.60.102/67 to 10.92.60.102/67

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool
Additional Information:

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6564543, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow