01-25-2022 07:48 AM
Hello everybody,
our customer has removed his MPLS from the inside interface of his ASA5512 (9.12(4)37).
But the inside interface was the interface the management station has used to monitor the ASA.
Now it should use the other inside_fr interface for monitoring and the management station (10.10.40.86) is
located in a remote site that is connected by a S2S tunnel.
When the management station runs a permanent ping to the new interface IP address 192.168.60.5 I see the following in the logging of the ASA:
... 6|||110002|10.10.40.86|25260|||Failed to locate egress interface for ICMP from outside:10.10.40.86/25260 to 192.168.60.5/0 6|||110002|10.10.40.86|25260|||Failed to locate egress interface for ICMP from outside:10.10.40.86/25260 to 192.168.60.5/0 6|||110002|10.10.40.86|25260|||Failed to locate egress interface for ICMP from outside:10.10.40.86/25260 to 192.168.60.5/0 ...
I have never seen this message before.
Seems that the ASA don't know what interface should be
used for replying to the ICMP echo request.
Both IP addresses are in the local and remote protected network of the tunnel.
The routing table is pretty small and I don't think that routing is the reason:
Result of the command: "sh route" Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 62.156.244.35 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 62.156.244.35, outside C 192.168.60.0 255.255.255.0 is directly connected, inside_fr L 192.168.60.5 255.255.255.255 is directly connected, inside_fr
I cannot see a reason in the NAT for the issue (entries with hit count 0 omitted):
Result of the command: "sh nat" Manual NAT Policies (Section 1) 2 (any) to (outside) source static any any destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp description Server Netze in Neumarkt ueber VPN - 29.05.2018 15:19 - Hammer translate_hits = 79917, untranslate_hits = 49625 6 (any) to (any) source static Labor Labor destination static Verwaltung Verwaltung translate_hits = 70105, untranslate_hits = 87444 7 (outside) to (inside_fr) source static Abstract_Factory Abstract_Factory destination static Verwaltung Verwaltung translate_hits = 29226, untranslate_hits = 29228 8 (any) to (any) source static Hoechst Hoechst destination static Verwaltung Verwaltung translate_hits = 57523, untranslate_hits = 62137 12 (inside_fr) to (outside) source static DE-FR2_LAN_192.168.60.0_24 DE-FR2_LAN_192.168.60.0_24 destination static 10.12.2.120_29_EXTERN_Frankfurt 10.12.2.120_29_EXTERN_Frankfurt translate_hits = 672, untranslate_hits = 757 15 (inside_fr) to (outside) source static Verwaltung Verwaltung destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp translate_hits = 64942, untranslate_hits = 114279 Auto NAT Policies (Section 2) 1 (inside_fr) to (outside) source static THXOWA interface service tcp https https no-proxy-arp translate_hits = 0, untranslate_hits = 9353 2 (inside_fr) to (outside) source static THCSMTP interface service tcp smtp smtp no-proxy-arp translate_hits = 0, untranslate_hits = 65389 3 (any) to (outside) source dynamic THC interface translate_hits = 268166, untranslate_hits = 55804
Attached you find the 'sh run' output.
Do you have any idea that could cause this error message?
Every hint is welcome!
Thanks a lot!
Bye
R.
01-25-2022 07:58 AM
follow
01-25-2022 08:43 AM
- Check if this thread can help . perhaps you are experiencing something similar : https://community.cisco.com/t5/network-security/asa-6-110002-failed-to-locate-egress-interface-for-icmp-from/td-p/2454572
M.
01-25-2022 09:06 AM - edited 01-25-2022 09:26 AM
@swscco001 when you are managing an ASA using it's inside interface over a VPN you need the command "management-access <interface name>" configured. You have that command configured, but as you've changed the inside interface, you need to change the command to:-
management-access inside_fr
If that doesn't work please run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.
01-27-2022 05:26 AM
Hi Rob,
this solved my issue
Thanks a lot!
Bye
R.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide