Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4249
Views
15
Helpful
4
Replies

ASA5512: "Failed to locate egress interface for ..."

swscco001
Level 3
Level 3

‎01-25-2022 07:48 AM

Hello everybody,

 

our customer has removed his MPLS from the inside interface of his ASA5512 (9.12(4)37).

 

But the inside interface was the interface the management station has used to monitor the ASA.

 

Now it should use the other inside_fr interface for monitoring and the management station (10.10.40.86) is
located in a remote site that is connected by a S2S tunnel.

 

When the management station runs a permanent ping to the new interface IP address 192.168.60.5 I see the following in the logging of the ASA:

...
6|||110002|10.10.40.86|25260|||Failed to locate egress interface for ICMP from outside:10.10.40.86/25260 to 192.168.60.5/0
6|||110002|10.10.40.86|25260|||Failed to locate egress interface for ICMP from outside:10.10.40.86/25260 to 192.168.60.5/0
6|||110002|10.10.40.86|25260|||Failed to locate egress interface for ICMP from outside:10.10.40.86/25260 to 192.168.60.5/0
...

I have never seen this message before.

 

Seems that the ASA don't know what interface should be
used for replying to the ICMP echo request.

 

Both IP addresses are in the local and remote protected network of the tunnel.

 

The routing table is pretty small and I don't think that routing is the reason:

Result of the command: "sh route"

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 62.156.244.35 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 62.156.244.35, outside
C        192.168.60.0 255.255.255.0 is directly connected, inside_fr
L        192.168.60.5 255.255.255.255 is directly connected, inside_fr

 

I cannot see a reason in the NAT for the issue (entries with hit count 0 omitted):

Result of the command: "sh nat"

Manual NAT Policies (Section 1)

2 (any) to (outside) source static any any  destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp description Server Netze in Neumarkt ueber VPN - 29.05.2018 15:19 - Hammer
    translate_hits = 79917, untranslate_hits = 49625

6 (any) to (any) source static Labor Labor  destination static Verwaltung Verwaltung
    translate_hits = 70105, untranslate_hits = 87444

7 (outside) to (inside_fr) source static Abstract_Factory Abstract_Factory  destination static Verwaltung Verwaltung
    translate_hits = 29226, untranslate_hits = 29228

8 (any) to (any) source static Hoechst Hoechst  destination static Verwaltung Verwaltung
    translate_hits = 57523, untranslate_hits = 62137

12 (inside_fr) to (outside) source static DE-FR2_LAN_192.168.60.0_24 DE-FR2_LAN_192.168.60.0_24  destination static 10.12.2.120_29_EXTERN_Frankfurt 10.12.2.120_29_EXTERN_Frankfurt
    translate_hits = 672, untranslate_hits = 757

15 (inside_fr) to (outside) source static Verwaltung Verwaltung  destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp
    translate_hits = 64942, untranslate_hits = 114279


Auto NAT Policies (Section 2)
1 (inside_fr) to (outside) source static THXOWA interface  service tcp https https  no-proxy-arp
    translate_hits = 0, untranslate_hits = 9353

2 (inside_fr) to (outside) source static THCSMTP interface  service tcp smtp smtp  no-proxy-arp
    translate_hits = 0, untranslate_hits = 65389

3 (any) to (outside) source dynamic THC interface 
    translate_hits = 268166, untranslate_hits = 55804

Attached you find the 'sh run' output.

 

Do you have any idea that could cause this error message?

 

Every hint is welcome!

 

Thanks a lot!

 


Bye
R.

Preview file
60 KB
4 Replies 4

MHM Cisco World
VIP
VIP

‎01-25-2022 07:58 AM

follow

0 Helpful

marce1000
VIP
VIP

‎01-25-2022 08:43 AM

 

 - Check if this thread can help . perhaps you are experiencing something similar : https://community.cisco.com/t5/network-security/asa-6-110002-failed-to-locate-egress-interface-for-icmp-from/td-p/2454572

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Rob Ingram
VIP
VIP

‎01-25-2022 09:06 AM - edited ‎01-25-2022 09:26 AM

@swscco001 when you are managing an ASA using it's inside interface over a VPN you need the command "management-access <interface name>" configured. You have that command configured, but as you've changed the inside interface, you need to change the command to:-

 

management-access inside_fr 

If that doesn't work please run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.

swscco001
Level 3
Level 3
In response to Rob Ingram

‎01-27-2022 05:26 AM

Hi Rob,

 

this solved my issue

 

Thanks a lot!

 

 

Bye
R.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card