Solved: failed to locate egress interface asdm

mahesh18 · ‎02-07-2014

Hi everyone,

I am trying to ASDM to ASA which has l2 tunnel connection

PC ASA1 ---------------------------------L2 tunnel ASA 2

When i try asdm to ASA2 ASA1 log shows syn timeout to IP 10.31.2.81 which is Management IP of ASA 2

ASA 2 has no nat configured.

Log shows on ASA 2

failed to locate egress interface x it has my pc ip subnet 172.31 then 10.31.2.81/443.

i have config this on ASA2

management-access x

Regards

MAhesh

Marius Gunnerud · ‎02-07-2014

Sounds like it might be NAT related problem. Have you made sure that your subnet is included in the twice NAT statement?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-07-2014

If you have no NAT at ASA2 is there a router infront of it that is doing NAT? Do you have NAT-T configured for the l2 tunnel on ASA2?

Do you have twice NAT (noNAT) configured on ASA1?

here is an example of twice nat.

object network local-lan

subnet 192.168.1.0 255.255.255.0

object network remote-lan

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) source static local-lan local-lan destination static remote-lan remote-lan

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-08-2014

1>As per setup here it is possible to have L2 Tunnel without using any NAT?

is this good practice.Any benefit of not using NAT here?

Yes, you would not use NAT with a L2 tunnel. I miss-read it as l2l which is why I was talking about NAT

2>when you say --Do you have NAT-T configured for the l2 tunnel on ASA2?

what does it mean and how can i check if i config it or not?

NAT-T is NAT traversal and needs to be configured if there is a device, other than the ASA, in the VPN path that is performing NAT. NAT traversal is configured by default so you will not see it in your configuration unless you issue the show run isakmp all or show run all. the output will show the command iskmp nat-traversal.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-07-2014

Sounds like it might be NAT related problem. Have you made sure that your subnet is included in the twice NAT statement?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-07-2014

Hi Marius,

We have no nat config on ASA2.

seems NAT issue but need help in twice NAT

Regards

MAhesh

Marius Gunnerud · ‎02-07-2014

If you have no NAT at ASA2 is there a router infront of it that is doing NAT? Do you have NAT-T configured for the l2 tunnel on ASA2?

Do you have twice NAT (noNAT) configured on ASA1?

here is an example of twice nat.

object network local-lan

subnet 192.168.1.0 255.255.255.0

object network remote-lan

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) source static local-lan local-lan destination static remote-lan remote-lan

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-07-2014

Hi Marius,

I config twice nat but now i see syn timeout coming from ASA 2 firewall.

We do not have twice nat on ASA 1.

Should i config on ASA 1 also?

ASA1 has no nat config.

Regards

MAhesh

Marius Gunnerud · ‎02-07-2014

Please describe your network in detail, how it is set up. If possible, also include a network diagram.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-07-2014

Hi Marius,

L2 VPN between ASA 1 and 2 is not using any NAT.

There is no NAT config.

Seems at first when i config the command

management-access i put the outside interface instead of Management interface of ASA.

Then i config the twice NAT on ASA 2 that gives me the SYN timeout log message on ASA 2 and also on ASA 1 when i

try ASDM to ASA 2.

Then i checked on ASA1 that it has no NAT config then i remove the twice NAT config from ASA 2 that fixed my problem.

Question to you

1>As per setup here it is possible to have L2 Tunnel without using any NAT?

is this good practice.Any benefit of not using NAT here?

2>when you say --Do you have NAT-T configured for the l2 tunnel on ASA2?

what does it mean and how can i check if i config it or not?

Regards

Mahesh

Marius Gunnerud · ‎02-08-2014

1>As per setup here it is possible to have L2 Tunnel without using any NAT?

is this good practice.Any benefit of not using NAT here?

Yes, you would not use NAT with a L2 tunnel. I miss-read it as l2l which is why I was talking about NAT

2>when you say --Do you have NAT-T configured for the l2 tunnel on ASA2?

what does it mean and how can i check if i config it or not?

NAT-T is NAT traversal and needs to be configured if there is a device, other than the ASA, in the VPN path that is performing NAT. NAT traversal is configured by default so you will not see it in your configuration unless you issue the show run isakmp all or show run all. the output will show the command iskmp nat-traversal.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-08-2014

Thanks Marius for answering the questions.

Regards

MAhesh