Solved: ASA No valid adjacency

craig bache · ‎02-21-2014

Hi All

Hopefully some one can help? I have a setup of wireless clients that are not able to connect to the internet.

I can see packets on both the Wireless-DMZ and outside interfaces, but I can see from the logging the following.

Feb 21 2014 18:06:03: %ASA-7-609001: Built local-host WIRELESS-DMZ:192.168.87.210

Feb 21 2014 18:06:03: %ASA-6-305011: Built dynamic UDP translation from WIRELESS-DMZ:192.168.87.210/56197 to OUTSIDE:x.x.x.x/53547

Feb 21 2014 18:06:03: %ASA-6-302015: Built outbound UDP connection 21496269 for OUTSIDE:8.8.4.4/53 (8.8.4.4/53) to WIRELESS-DMZ:192.168.87.210/56197 (x.x.x.x/53547)

Feb 21 2014 18:06:03: %ASA-6-110003: Routing failed to locate next hop for UDP from OUTSIDE:8.8.4.4/53 to WIRELESS-DMZ:192.168.87.210/56197

Feb 21 2014 18:06:03: %ASA-6-302016: Teardown UDP connection 21496269 for OUTSIDE:8.8.4.4/53 to WIRELESS-DMZ:192.168.87.210/56197 duration 0:00:00 bytes 210

NHSE-SW-ASA01/act#

Feb 21 2014 18:06:03: %ASA-7-609001: Built local-host WIRELESS-DMZ:192.168.87.210
Feb 21 2014 18:06:03: %ASA-6-305011: Built dynamic UDP translation from WIRELESS-DMZ:192.168.87.210/56197 to OUTSIDE:x.x.x.x/53547
Feb 21 2014 18:06:03: %ASA-6-302015: Built outbound UDP connection 21496269 for OUTSIDE:8.8.4.4/53 (8.8.4.4/53) to WIRELESS-DMZ:192.168.87.210/56197 (x.x.x.x/53547)
Feb 21 2014 18:06:03: %ASA-6-110003: Routing failed to locate next hop for UDP from OUTSIDE:8.8.4.4/53 to WIRELESS-DMZ:192.168.87.210/56197
Feb 21 2014 18:06:03: %ASA-6-302016: Teardown UDP connection 21496269 for OUTSIDE:8.8.4.4/53 to WIRELESS-DMZ:192.168.87.210/56197 duration 0:00:00 bytes 210

NAT CONFIG

SE-SW-ASA01/act# sh run nat
nat (WIRELESS-DMZ) 1 192.168.0.0 255.255.0.0

sh run global
global (OUTSIDE) 1 x.x.x.x

Interface gig 0/2 has 2 sub interfaces,

SW-ASA01/act# sh run int Ethernet0/2.666
!
interface Ethernet0/2.666
vlan 666
nameif WIRELESS-DMZ
security-level 50
ip address 192.168.84.1 255.255.254.0

Connected ROUTE

SW-ASA01/act# sh route wiRELESS-DMZ

C 192.168.84.0 255.255.254.0 is directly connected, WIRELESS-DMZ

ARP TABLE

SW-ASA01/act# sh arp
        WIRELESS-DMZ 192.168.87.199 a0ed.cda1.8725 3
        WIRELESS-DMZ 192.168.87.210 b09f.bab3.d860 7
        WIRELESS-DMZ 192.168.87.219 b09f.bac8.fa8f 579
        WIRELESS-DMZ 192.168.87.202 a888.0856.b5d3 3197
        WIRELESS-DMZ 192.168.87.146 6c88.140c.552c 3486
        WIRELESS-DMZ 192.168.87.145 0c30.218a.5fd4 3492
        WIRELESS-DMZ 192.168.87.218 b09f.bac8.6ddd 3585
        WIRELESS-DMZ 192.168.87.212 8cfa.ba4a.4b1e 3632
        WIRELESS-DMZ 192.168.87.217 4874.6e54.ceb4 3641
        WIRELESS-DMZ 192.168.87.209 6c88.140c.5a80 3787
        WIRELESS-DMZ 192.168.87.213 6c88.1409.6f64 4210
        WIRELESS-DMZ 192.168.87.141 843a.4bae.74d8 5470
        WIRELESS-DMZ 192.168.87.195 6c88.140c.5a38 6292
        WIRELESS-DMZ 192.168.87.206 444c.0cda.b1e1 7206
        WIRELESS-DMZ 192.168.87.182 cc78.5fb6.79a9 7347
        WIRELESS-DMZ 192.168.87.181 0c30.2193.a477 7385
        WIRELESS-DMZ 192.168.87.198 a0ed.cd9d.395a 9394
        WIRELESS-DMZ 192.168.87.192 6c88.1409.ec90 9447
        WIRELESS-DMZ 192.168.87.211 ec35.86d0.af7d 12006

ERROR MESSAGE

   1: 17:48:19.786671 8.8.4.4.53 > 192.168.87.210.56759: udp 179 Drop-reason: (no-adjacency) No valid adjacency
   2: 17:48:20.787251 8.8.4.4.53 > 192.168.87.210.56759: udp 179
   3: 17:48:23.800800 8.8.8.8.53 > 192.168.87.210.56759: udp 179 Drop-reason: (no-adjacency) No valid adjacency
   4: 17:48:24.802921 8.8.8.8.53 > 192.168.87.210.56759: udp 179 Drop-reason: (no-adjacency) No valid adjacency
   5: 17:48:27.804523 8.8.4.4.53 > 192.168.87.210.56759: udp 179 Drop-reason: (no-adjacency) No valid adjacency
   6: 17:48:36.823336 8.8.4.4.53 > 192.168.87.210.56759: udp 179
   7: 17:49:03.885131 8.8.8.8.53 > 192.168.87.210.56759: udp 179 Drop-reason: (no-adjacency) No valid adjacency
7 packets shown

SWITCH CONFIG

SW-CORESW01#sh run int gig 1/0/1

interface GigabitEthernet1/0/1
description SW-ASA01-P GI0/1 : INSIDE FIREWALL
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 144,666,1016
switchport mode trunk

SWITCH MAC ADDRESS

SW-CORESW01#sh mac address-table | in d48c.b5c2.7246
666 d48c.b5c2.7246 DYNAMIC Gi1/0/1
1016 d48c.b5c2.7246 DYNAMIC Gi1/0/1

SW-CORESW01#sh run int gig 1/0/1

VLAN 666

SW-CORESW01#sh vlan id 666

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
666 WIRELESS-GUEST active Fa1/0/47, Gi1/0/1, Fa2/0/47, Gi2/0/1, Fa3/0/47

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
666 enet 100666 1500 - - - - - 0 0

Regards Craig

Jon Marshall · ‎02-21-2014

Craig

Your wireless clients are using 192.168.87.x addressing but your DMZ IP subnet is 192.168.84.0 255.255.254.0 ie. this is -

network address = 192.168.84.0

useable IPs = 192.168.84.1 -> 192.168.85.254

broacast address = 192.168.85.255

so your clients do not fall into the network. You need to either -

1) change the network on the DMZ interface

or

2) change your client addresses to fall within the 192.168.84.0/31 network.

Perhaps the mask should be 255.255.252.0 ?

Jon

View solution in original post

Marvin Rhoads · ‎02-21-2014

The eth0/2.666 WIRELESS-DMZ interface is addressed as a /23 but the NAT definition is a /16. They should match.

Jon Marshall · ‎02-21-2014