12-28-2015 11:07 AM - edited 03-12-2019 12:04 AM
We are using an ASA 5505 running 8.2 with Sec Plus license. We're running into an issue where we created a second vlan for voice on the network and the phones cannot register properly to their hosted service on the outside. By default the phones are on vlan 1 and they work (in that they get an IP and NAT to the outside world and can register with our hosted service) but when we put them on a different vlan I get some odd results which appear to be NAT related.
We have the default vlan 1 and the second voice vlan 20 --- 192.168.100.x and 192.168.200.x respectively.
Ethernet0/0 = outside interface
Ethernet0/5 = trunked interface to our 3560 switch. Our 3560 is trunked on it's link to the ASA.
interface Ethernet0/5
switchport trunk allowed vlan 1-20
switchport trunk native vlan 1
switchport mode trunk
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan20
nameif Voice
security-level 100
ip address 192.168.200.1 255.255.255.0
NAT config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Voice) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
The 3560 has the two vlans (SVIs) created and trunked to the ASA. Routing is enabled on the 3560. Default gw for vlan 1 is 192.168.100.254 and for vlan 20 it's 192.168.200.254. Default route in the 3560 is the interface for the ASA = 192.168.100.1.
From the ASA I can ping the SVI interfaces and from the switch I can ping everything. When I put a device or a phone into vlan 20, I can ping that device from the switch and the ASA. But when I put a phone on vlan 20 and start to watch the traffic as it tries to go out and register, I get some "No valid adjacency" errors in the logs for the ASA and the phone never registers properly (which means no dial tone and no functionality.)
Logs:
%ASA-6-302014: | Teardown TCP connection 1821820 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency |
%ASA-6-305012: | Teardown dynamic TCP translation from inside:192.168.200.8/6961 to outside:94.x.x.50/51026 duration 0:01:01 |
%ASA-6-302015: | Built inbound UDP connection 1821825 for outside:80.210.50.25/20001 (80.210.50.25/20001) to inside:192.168.200.8/49156 (94.x.x.50/51086) |
%ASA-6-302016: | Teardown UDP connection 1821825 for outside:80.210.50.25/20001 to inside:192.168.200.8/49156 duration 0:00:00 bytes 25 |
%ASA-6-302013: | Built outbound TCP connection 1821826 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6981 (94.x.x.50/23326) |
%ASA-6-302014: | Teardown TCP connection 1821826 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency |
%ASA-6-302015: | Built inbound UDP connection 1821828 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880) |
%ASA-6-302016: | Teardown UDP connection 1821828 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12 |
%ASA-6-302015: | Built inbound UDP connection 1821832 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880) |
%ASA-6-302016: | Teardown UDP connection 1821832 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12 |
%ASA-6-302013: | Built outbound TCP connection 1821833 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6981 (94.x.x.50/23326) |
%ASA-6-302014: | Teardown TCP connection 1821833 for outside:80.210.50.25/6801 to inside:192.168.200.8/6981 duration 0:00:00 bytes 0 No valid adjacency |
%ASA-6-305011: | Built dynamic TCP translation from inside:192.168.200.8/6921 to outside:94.x.x.50/63830 |
%ASA-6-302013: | Built outbound TCP connection 1821834 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6921 (94.x.x.50/63830) |
%ASA-6-302014: | Teardown TCP connection 1821834 for outside:80.210.50.25/6801 to inside:192.168.200.8/6921 duration 0:00:00 bytes 0 No valid adjacency |
%ASA-6-302015: | Built inbound UDP connection 1821835 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880) |
%ASA-6-110003: | Routing failed to locate next hop for UDP from outside:80.210.50.25/69 to inside:192.168.200.8/49157 |
%ASA-6-302016: | Teardown UDP connection 1821835 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12 |
%ASA-6-305012: | Teardown dynamic TCP translation from inside:192.168.200.8/6933 to outside:94.x.x.50/21101 duration 0:01:01 |
%ASA-6-302013: | Built outbound TCP connection 1821837 for outside:80.210.50.25/6801 (80.210.50.25/6801) to inside:192.168.200.8/6921 (94.x.x.50/63830) |
%ASA-6-302014: | Teardown TCP connection 1821837 for outside:80.210.50.25/6801 to inside:192.168.200.8/6921 duration 0:00:00 bytes 0 No valid adjacency |
%ASA-6-302015: | Built inbound UDP connection 1821841 for outside:80.210.50.25/69 (80.210.50.25/69) to inside:192.168.200.8/49157 (94.x.x.50/44880) |
%ASA-6-302016: | Teardown UDP connection 1821841 for outside:80.210.50.25/69 to inside:192.168.200.8/49157 duration 0:00:00 bytes 12 |
Public IPS have been changed to protect the innocent.
I've looked at everything I can find for that error message, but I can't figure out if this is a routing or NAT issue.
Any help would be appreciated.
Solved! Go to Solution.