Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
0
Helpful
2
Replies

Failed to locate egress interface When joining the FW interface IP

lilyzima1
Level 1
Level 1

‎08-10-2017 08:00 AM - edited ‎03-12-2019 02:48 AM

Hi all,

I have the same problem but i've the following error only when I want to join the interface FW IP on ASA 5506 IOS version 9.5.3

basic configuration : no NAT no DHCP on my configuration and I used the static routes

when I ping the interface FW inteconnexion (10.29.10.6) it works

When I ping from the Fw I can reach all servers

When I try to reach the FW interface IPs I can see packets arriving to the FW but the it doesn't return I 've the following error

Failed to locate egress interface for ICMP from intranet:10.10.30.131/1 to 10.29.10.22/0

Please find below my configuration

interface GigabitEthernet1/1
 description TO_Core_Layer_Gi0/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.300
 description Intranet
 vlan 10
 nameif intranet
 security-level 0
 ip address 10.29.10.6 255.255.255.248 
!
interface GigabitEthernet1/1.301
 description DMZ
 vlan 11
 nameif DMZ
 security-level 0
 ip address 10.29.10.22 255.255.255.248 
!

interface Management1/1
 management-only
 nameif mgmt
 security-level 100
 ip address 10.17.26.221 255.255.255.240 

route intranet 0.0.0.0 0.0.0.0 10.29.10.1 1
route mgmt 10.2.69.28 255.255.255.255 10.17.26.220 1
route mgmt 10.2.69.29 255.255.255.255 10.17.26.220 1


The core layer configuration

interface GigabitEthernet1/22
 description TO FW PORT gi1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,11
 switchport mode trunk
end

ip route 10.29.10.16 255.255.255.248 10.29.10.6

interface vlan 10
 ip address 10.29.10.3 255.255.255.248
 no ip unreachables
 no ip mroute-cache
 standby 1 ip 10.29.10.1
 standby 1 timers 1 3
 standby 1 preempt


I've the same configuration on the other equipement except the IP int vlan IP 10.29.10.2

Best regards

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-10-2017 08:38 AM

By design you cannot reach an interface on an ASA with icmp (ping) other than the one directly in line with your data path.

You should be able to reach any host on the DMZ subnet, just not the ASAs interface.

If you want to confirm your configuration logic and don't have any hosts up in the DMZ yet, you can use packet-tracer to inject a dummy flow and check.

0 Helpful

lilyzima1
Level 1
Level 1
In response to Marvin Rhoads

‎08-10-2017 11:52 PM

Hello,

Thank you so much for your quick answer i'll try to use packet tracert because you're right i've no host up in the DMZ yet. So i'll finalize the configuration and add the others DMZ.

Thank you so much again :)

Have a nice day

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card