cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
17354
Views
0
Helpful
8
Replies

failed to locate egress interface asdm

mahesh18
Level 6
Level 6

Hi everyone,

I am trying to ASDM to ASA  which has l2 tunnel connection

PC  ASA1 ---------------------------------L2 tunnel  ASA  2

When i try asdm to ASA2  ASA1 log shows syn timeout to IP 10.31.2.81 which is Management IP of ASA 2

ASA 2 has no nat configured.

Log shows on ASA 2

failed to locate egress interface x  it has my pc ip subnet 172.31  then 10.31.2.81/443.

i have config this on ASA2

management-access  x

Regards

MAhesh

3 Accepted Solutions

Accepted Solutions

Sounds like it might be NAT related problem.  Have you made sure that your subnet is included in the twice NAT statement?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

If you have no NAT at ASA2 is there a router infront of it that is doing NAT?  Do you have NAT-T configured for the l2 tunnel on ASA2?

Do you have twice NAT (noNAT) configured on ASA1?

here is an example of twice nat.

object network local-lan

subnet 192.168.1.0 255.255.255.0

object network remote-lan

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) source static local-lan local-lan destination static remote-lan remote-lan

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

1>As per setup here it is possible to have L2 Tunnel without using any NAT?

is this good practice.Any benefit of not using NAT here?

Yes, you would not use NAT with a L2 tunnel. I miss-read it as l2l  which is why I was talking about NAT

2>when you say --Do you have NAT-T configured for the l2 tunnel on ASA2?

what does it mean and how can i check if i config it or not?

NAT-T is NAT traversal and needs to be configured if there is a device, other than the ASA, in the VPN path that is performing NAT.  NAT traversal is configured by default so you will not see it in your configuration unless you issue the show run isakmp all  or show run all. the output will show the command iskmp nat-traversal.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

8 Replies 8

Sounds like it might be NAT related problem.  Have you made sure that your subnet is included in the twice NAT statement?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

We have no nat config on ASA2.

seems NAT issue but need help  in twice NAT

Regards

MAhesh

If you have no NAT at ASA2 is there a router infront of it that is doing NAT?  Do you have NAT-T configured for the l2 tunnel on ASA2?

Do you have twice NAT (noNAT) configured on ASA1?

here is an example of twice nat.

object network local-lan

subnet 192.168.1.0 255.255.255.0

object network remote-lan

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) source static local-lan local-lan destination static remote-lan remote-lan

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

I config twice nat but now i see syn timeout coming from ASA 2 firewall.

We do not have twice nat on ASA 1.

Should i config on ASA 1 also?

ASA1 has no nat config.

Regards

MAhesh

Please describe your network in detail, how it is set up.  If possible, also include a network diagram.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

L2 VPN between ASA 1 and 2 is not  using any NAT.

There is no NAT config.

Seems at first when i config the command

management-access  i put the outside interface instead of Management interface of ASA.

Then i config the twice  NAT on ASA 2 that gives me the SYN timeout log message on ASA 2 and also on ASA 1 when i

try ASDM to ASA 2.

Then  i checked on ASA1 that it has no NAT config then i remove the twice  NAT config from ASA 2 that fixed my problem.

Question to you

1>As per setup here it is possible to have L2 Tunnel without using any NAT?

is this good practice.Any benefit of not using NAT here?

2>when you say --Do you have NAT-T configured for the l2 tunnel on ASA2?

what does it mean and how can i check if i config it or not?

Regards

Mahesh

1>As per setup here it is possible to have L2 Tunnel without using any NAT?

is this good practice.Any benefit of not using NAT here?

Yes, you would not use NAT with a L2 tunnel. I miss-read it as l2l  which is why I was talking about NAT

2>when you say --Do you have NAT-T configured for the l2 tunnel on ASA2?

what does it mean and how can i check if i config it or not?

NAT-T is NAT traversal and needs to be configured if there is a device, other than the ASA, in the VPN path that is performing NAT.  NAT traversal is configured by default so you will not see it in your configuration unless you issue the show run isakmp all  or show run all. the output will show the command iskmp nat-traversal.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thanks Marius for answering the questions.

Regards

MAhesh

Review Cisco Networking for a $25 gift card