Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11621
Views
5
Helpful
1
Replies

ASA-6-110002: Failed to locate egress interface for ICMP from vlan

Go to solution
avilt
Level 3
Level 3

‎02-05-2014 11:55 PM - edited ‎03-11-2019 08:41 PM

Following is my config on 5525-X firewall,

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.100

vlan 100

nameif vlan100

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/1.200

vlan 200

nameif vlan200

security-level 100

ip address 10.10.20.1 255.255.255.0

----------------------------------------------

PC with IP address 10.10.10.12 tries to ping 10.10.20.1,  I am getting the following error

%ASA-6-110002: Failed to locate egress interface for ICMP from vlan100:10.10.10.12/1 to 10.10.20.1/0

From the ASA itself I can ping both interfaces. But extended ping from vlan 100 to vlan 200 fails with the above error as well.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 11:59 PM

Hi,

You wont be able to ICMP the far end interface from behind another interface. What I mean is that users behind Vlan100 can only ICMP Vlan100 interface IP address and users behind Vlan200 can only ICMP Vlan200 interface IP address on the ASA. They wont be able to ICMP any other interface IP address. This is basic behaviour for the Cisco firewalls for a long time. Though I am not sure what the purpose is.

If you want to have traffic flowing between these 2 interfaces and their networks you would have to also check that you have this configured

same-security-traffic permit inter-interface

This would allow traffic between 2 different interfaces using the same "security-level" value which you seem to have. Without the above command the traffic wont be allowed through even if you have ACLs allowing the traffic.

- Jouni

View solution in original post

1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 11:59 PM

Hi,

You wont be able to ICMP the far end interface from behind another interface. What I mean is that users behind Vlan100 can only ICMP Vlan100 interface IP address and users behind Vlan200 can only ICMP Vlan200 interface IP address on the ASA. They wont be able to ICMP any other interface IP address. This is basic behaviour for the Cisco firewalls for a long time. Though I am not sure what the purpose is.

If you want to have traffic flowing between these 2 interfaces and their networks you would have to also check that you have this configured

same-security-traffic permit inter-interface

This would allow traffic between 2 different interfaces using the same "security-level" value which you seem to have. Without the above command the traffic wont be allowed through even if you have ACLs allowing the traffic.

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card