ASA NAT failed to locate egress interface

steven fitzpatrick · ‎06-12-2015

We have a cisco ASA X series and we have a dynamic PAT rule in place which works fine but then every so often we randomly get syslogs as below

%ASA-6-110002: Failed to locate egress interface for protocol from src 
interface:src IP/src port to dest IP/dest port

ANy ideas on why it might be doing this?

Thanks

Steven

Akshay Rastogi · ‎06-13-2015

Hi Steven,

As per the logs, below is the explanation i have found :

Q. How can I resolve this error message: `%ASA-6-110002: Failed to locate egress interface for UDP from outside:x.x.x.x/xxxx to x.x.x.x/xxxx`?

A. ASA gives this error message when VPN Client tries to use peer-to-peer program and that traffic goes into the tunnel, where the peer-to-peer server does not reside. Configure the split tunnel in order to resolve this issue so that the traffic that needs to go out to the internet does not travel through the Tunnel and the packet is not dropped by the firewall. Refer to ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example for more information on Split Tunneling configuration in ASA.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/68330-pix-7x-faq.html

Does that log traffic matches the criteria for Dynamic PAT ? and can you confirm if ASA is not loosing any route during that time for the destination or if they are for same-security-level traffic?

Thanks & Regards,

Akshay Rastogi

ASA NAT failed to locate egress interface

Q. How can I resolve this error message: %ASA-6-110002: Failed to locate egress interface for UDP from outside:x.x.x.x/xxxx to x.x.x.x/xxxx?

Q. How can I resolve this error message: `%ASA-6-110002: Failed to locate egress interface for UDP from outside:x.x.x.x/xxxx to x.x.x.x/xxxx`?