Solved: Getting this on the prod ASA

gothlzcisco · ‎12-28-2015

We are using an ASA 5505 running 8.2 with Sec Plus license. We're running into an issue where we created a second vlan for voice on the network and the phones cannot register properly to their hosted service on the outside. By default the phones are on vlan 1 and they work (in that they get an IP and NAT to the outside world and can register with our hosted service) but when we put them on a different vlan I get some odd results which appear to be NAT related.

We have the default vlan 1 and the second voice vlan 20 --- 192.168.100.x and 192.168.200.x respectively.

Ethernet0/0 = outside interface

Ethernet0/5 = trunked interface to our 3560 switch. Our 3560 is trunked on it's link to the ASA.

interface Ethernet0/5
switchport trunk allowed vlan 1-20
switchport trunk native vlan 1
switchport mode trunk

interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0

interface Vlan20
nameif Voice
security-level 100
ip address 192.168.200.1 255.255.255.0

NAT config:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (Voice) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The 3560 has the two vlans (SVIs) created and trunked to the ASA. Routing is enabled on the 3560. Default gw for vlan 1 is 192.168.100.254 and for vlan 20 it's 192.168.200.254. Default route in the 3560 is the interface for the ASA = 192.168.100.1.

From the ASA I can ping the SVI interfaces and from the switch I can ping everything. When I put a device or a phone into vlan 20, I can ping that device from the switch and the ASA. But when I put a phone on vlan 20 and start to watch the traffic as it tries to go out and register, I get some "No valid adjacency" errors in the logs for the ASA and the phone never registers properly (which means no dial tone and no functionality.)

Logs:

%ASA-6-302014:	Teardown TCP connection 1821820 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-305012:	Teardown dynamic TCP translation from inside:192.168.200.8/6961 to outside:94.x.x.50/51026 duration 0:01:01
%ASA-6-302015:	Built inbound UDP connection 1821825 for outside:80.210.50.25/20001 (80.210.50.25/20001) to inside:192.168.200.8/49156 (94.x.x.50/51086)
%ASA-6-302016:	Teardown UDP connection 1821825 for outside:80.210.50.25/20001 to inside:192.168.200.8/49156 duration 0:00:00 bytes 25
%ASA-6-302013:	Built outbound TCP connection 1821826 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6981 (94.x.x.50/23326)
%ASA-6-302014:	Teardown TCP connection 1821826 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-302015:	Built inbound UDP connection 1821828 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-302016:	Teardown UDP connection 1821828 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12
%ASA-6-302015:	Built inbound UDP connection 1821832 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-302016:	Teardown UDP connection 1821832 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12
%ASA-6-302013:	Built outbound TCP connection 1821833 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6981 (94.x.x.50/23326)
%ASA-6-302014:	Teardown TCP connection 1821833 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-305011:	Built dynamic TCP translation from inside:192.168.200.8/6921 to outside:94.x.x.50/63830
%ASA-6-302013:	Built outbound TCP connection 1821834 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6921 (94.x.x.50/63830)
%ASA-6-302014:	Teardown TCP connection 1821834 for outside:80.210.50.25/6801 to inside:192.168.200.8/6921 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-302015:	Built inbound UDP connection 1821835 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-110003:	Routing failed to locate next hop for UDP from outside:80.210.50.25/69 to inside:192.168.200.8/49157
%ASA-6-302016:	Teardown UDP connection 1821835 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12
%ASA-6-305012:	Teardown dynamic TCP translation from inside:192.168.200.8/6933 to outside:94.x.x.50/21101 duration 0:01:01
%ASA-6-302013:	Built outbound TCP connection 1821837 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6921 (94.x.x.50/63830)
%ASA-6-302014:	Teardown TCP connection 1821837 for outside:80.210.50.25/6801 to inside:192.168.200.8/6921 duration 0:00:00 bytes 0 No valid adjacency
%ASA-6-302015:	Built inbound UDP connection 1821841 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880)
%ASA-6-302016:	Teardown UDP connection 1821841 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12

Public IPS have been changed to protect the innocent.

I've looked at everything I can find for that error message, but I can't figure out if this is a routing or NAT issue.

Any help would be appreciated.

Jon Marshall · ‎12-28-2015

You are routing the vlans on the 3560 but you are then pointing all the traffic via the default route to the inside interface.

What this means is that voice traffic is arriving at the ASA on the inside interface not the voice interface so the ASA records the traffic against the inside interface. When the return traffic comes back your ASA is trying to send it via the inside interface but it doesn't have a route to 192.168.200.x via that interface which is what your error message is telling you.

Basically you can do two things -

1) remove the SVIs from the 3560 and route the traffic on the ASA ie. the default gateways of the clients are the corresponding ASA interface IPs.

You then use a trunk from the 3560 as you have now.

You may or may not want to do this depending on what you are trying to achieve ie. if the data and voice vlans needs to talk to each other then you may want to route on the 3560 and not the ASA. Bear in mind also that the ASA will have less throughput between vlans than your 3560.

2) route the vlans on the 3560 and make the link between the 3560 and the firewall a routed link.

If you did this then you would use a new IP subnet for the connection between the switch and firewall. Then you would have a default route on the switch pointing to the inside interface of the firewall and on the ASA you would need routes for both the data and voice vlans pointing to the 3560 end of the connection.

Jon

View solution in original post

Jon Marshall · ‎12-28-2015

If you want to keep it simple with no downtime then another option is to simply to add a route to the ASA ie.

route inside 192.168.200.0 255.255.255.0 192.168.100.254

and then you don't need a trunk or a voice interface on the ASA.

Note this is really the same as the second option I mentioned other than you are not using a separate IP subnet for the 3560 to ASA connection.

This will work but be aware that for the data traffic it is asymmetric in that traffic going to the internet is routed on the 3560 to the ASA but traffic coming back goes direct to the data client from the ASA ie. it is not routed on the 3560 because the ASA has an interface in that subnet.

Not necessarily a problem, just something to be aware of.

Jon

View solution in original post

Jon Marshall · ‎12-28-2015

You are routing the vlans on the 3560 but you are then pointing all the traffic via the default route to the inside interface.

What this means is that voice traffic is arriving at the ASA on the inside interface not the voice interface so the ASA records the traffic against the inside interface. When the return traffic comes back your ASA is trying to send it via the inside interface but it doesn't have a route to 192.168.200.x via that interface which is what your error message is telling you.

Basically you can do two things -

1) remove the SVIs from the 3560 and route the traffic on the ASA ie. the default gateways of the clients are the corresponding ASA interface IPs.

You then use a trunk from the 3560 as you have now.

You may or may not want to do this depending on what you are trying to achieve ie. if the data and voice vlans needs to talk to each other then you may want to route on the 3560 and not the ASA. Bear in mind also that the ASA will have less throughput between vlans than your 3560.

2) route the vlans on the 3560 and make the link between the 3560 and the firewall a routed link.

If you did this then you would use a new IP subnet for the connection between the switch and firewall. Then you would have a default route on the switch pointing to the inside interface of the firewall and on the ASA you would need routes for both the data and voice vlans pointing to the 3560 end of the connection.

Jon

gothlzcisco · ‎12-28-2015

Ok, I think I follow you --- (it looks like your second answer got posted before your first).

The voice and data vlans do not need to talk to each other, AFAIK.

I thought the switch config for the inter vlan routing was ok based on what I've read and done before, but it makes sense that it's all coming out vlan 1 by default on the ASA side and it doesn't know how to route back. I didn't want to throw in a default route because I'm not an ASA specialist and until today I didn't have any way to lab this and I didn't want to screw up the routing on a prod ASA.

So what you're suggesting is to take out the trunking between the ASA/ 3560 and add:

route inside 192.168.200.0 255.255.255.0 192.168.100.254

This would basically route the voice vlan traffic through the ASA over to the gw for vlan 1, right?

Jon Marshall · ‎12-28-2015

Yes, add that route to the ASA and it should fix it.

If you add the above it should still work even with the trunk link if you are worried about downtime and then in a quiet period you can change the link.

Up to you really.

Jon

gothlzcisco · ‎12-28-2015

Getting this on the prod ASA when adding the route and leaving the trunk in place (working remotely, so I'm trying to be careful):

ASA5505(config)# route inside 192.168.200.0 255.255.255.0 192.168.100.254
ERROR: Cannot add route, connected route exists

On my lab 5505 I can add this command but I have to remove the Vlan 20 from the ASA first. Sound right?

Jon Marshall · ‎12-28-2015

Yes, sorry I should have thought of that.

You need to remove the voice interface off the ASA or at least remove the IP before you can add the route.

You can still use a trunk so no worries there.

Jon

gothlzcisco · ‎12-28-2015

Cool --- I'm putting in a switch behind my test ASA so I can watch this work here before I try to change it in the field. Should work, so I'll let you know when I try it.

thanks!

Jon Marshall · ‎12-28-2015

No problem, glad to help.

Any other queries etc. just post back.

Jon

gothlzcisco · ‎12-29-2015

Looks like I'm in business. I moved several of the phones over to the new vlan and so far so good.

Thanks again!

Jon Marshall · ‎12-28-2015

If you want to keep it simple with no downtime then another option is to simply to add a route to the ASA ie.

route inside 192.168.200.0 255.255.255.0 192.168.100.254

and then you don't need a trunk or a voice interface on the ASA.

Note this is really the same as the second option I mentioned other than you are not using a separate IP subnet for the 3560 to ASA connection.

This will work but be aware that for the data traffic it is asymmetric in that traffic going to the internet is routed on the 3560 to the ASA but traffic coming back goes direct to the data client from the ASA ie. it is not routed on the 3560 because the ASA has an interface in that subnet.

Not necessarily a problem, just something to be aware of.

Jon

ASA 8.2 and "No valid adjacency" Mitel phones