Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5976
Views
0
Helpful
9
Replies

ASA 8.2 and "No valid adjacency" Mitel phones

Go to solution
gothlzcisco
Beginner
Beginner

‎12-28-2015 11:07 AM - edited ‎03-12-2019 12:04 AM

We are using an ASA 5505 running 8.2 with Sec Plus license. We're running into an issue where we created a second vlan for voice on the network and the phones cannot register properly to their hosted service on the outside.  By default the phones are on vlan 1 and they work (in that they get an IP and NAT to the outside world and can register with our hosted service) but when we put them on a different vlan I get some odd results which appear to be NAT related.

We have the default vlan 1 and the second voice vlan 20 --- 192.168.100.x and 192.168.200.x respectively.

Ethernet0/0 = outside interface

Ethernet0/5 = trunked interface to our 3560 switch.  Our 3560 is trunked on it's link to the ASA.

interface Ethernet0/5
 switchport trunk allowed vlan 1-20
 switchport trunk native vlan 1
 switchport mode trunk

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0

interface Vlan20
 nameif Voice
 security-level 100
 ip address 192.168.200.1 255.255.255.0

NAT config:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Voice) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The 3560 has the two vlans (SVIs) created and trunked to the ASA.  Routing is enabled on the 3560.  Default gw for vlan 1 is 192.168.100.254 and for vlan 20 it's 192.168.200.254.  Default route in the 3560 is the interface for the ASA = 192.168.100.1.

From the ASA I can ping the SVI interfaces and from the switch I can ping everything.  When I put a device or a phone into vlan 20, I can ping that device from the switch and the ASA.  But when I put a phone on vlan 20 and start to watch the traffic as it tries to go out and register, I get some "No valid adjacency" errors in the logs for the ASA and the phone never registers properly (which means no dial tone and no functionality.)

Logs:

%ASA-6-302014: Teardown TCP connection 1821820 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.200.8/6961 to outside:94.x.x.50/51026 duration 0:01:01
%ASA-6-302015: Built inbound UDP connection 1821825 for outside:80.210.50.25/20001 (80.210.50.25/20001) to inside:192.168.200.8/49156 (94.x.x.50/51086)
%ASA-6-302016: Teardown UDP connection 1821825 for outside:80.210.50.25/20001 to inside:192.168.200.8/49156 duration 0:00:00 bytes 25
%ASA-6-302013: Built outbound TCP connection 1821826 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6981 (94.x.x.50/23326)
%ASA-6-302014: Teardown TCP connection 1821826 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-302015: Built inbound UDP connection 1821828 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-302016: Teardown UDP connection 1821828 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12
%ASA-6-302015: Built inbound UDP connection 1821832 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-302016: Teardown UDP connection 1821832 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12
%ASA-6-302013: Built outbound TCP connection 1821833 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6981 (94.x.x.50/23326)
%ASA-6-302014: Teardown TCP connection 1821833 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.200.8/6921 to outside:94.x.x.50/63830
%ASA-6-302013: Built outbound TCP connection 1821834 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6921 (94.x.x.50/63830)
%ASA-6-302014: Teardown TCP connection 1821834 for outside:80.210.50.25/6801 to inside:192.168.200.8/6921 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-302015: Built inbound UDP connection 1821835 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-110003: Routing failed to locate next hop for UDP from outside:80.210.50.25/69 to inside:192.168.200.8/49157
%ASA-6-302016: Teardown UDP connection 1821835 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.200.8/6933 to outside:94.x.x.50/21101 duration 0:01:01
%ASA-6-302013: Built outbound TCP connection 1821837 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6921 (94.x.x.50/63830)
%ASA-6-302014: Teardown TCP connection 1821837 for outside:80.210.50.25/6801 to inside:192.168.200.8/6921 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-302015: Built inbound UDP connection 1821841 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-302016: Teardown UDP connection 1821841 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12

 

Public IPS have been changed to protect the innocent.

I've looked at everything I can find for that error message, but I can't figure out if this is a routing or NAT issue.

Any help would be appreciated.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions