cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3626
Views
11
Helpful
4
Replies

Failed to locate egress interface

Hello, 

 

I have a network with ASA 5520 and several cisco switches (2960 and 2950).

I had an interface in ASA for the inside network (native VLAN)

I configured two extra subinterfaces with two new VLAN each.

 

I configured the connections to be trunk (ASA-Switch and switch-switch)

 

The thing is that I performed various tests. 

From a PC on the new VLAN I ping another PC on the new VLAN and it does not succeed. 

From a PC on the new VLAN I ping another PC on the existing VLAN and it does not succeed. 

 

From a PC on the new VLAN I ping the FW on the new VLAN and it succeeds.

From the FW I cannot ping the PC on the new VLAN.

 

In the logs I get the  Failed to locate egress interface, though I have enabled the same security level and the hosts connected on the same interface below the interfaces options. 

 

Any ideas what might be wrong?

 

Thanks and regards, 

Konstantinos

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

Post the show run configuration to understand what is configure also give us information on what is PC IP address?

 

make sure end Device Pc have default FW enabled, disable for testing purpose.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

@kostasthedelegate 

Do you have same-security-traffic permit inter-interface configured to permit traffic between interfaces with the same security level? This allows traffic flow freely between all same security interfaces without ACLs.

 

If you can ping the ASA from the PC but cannot ping the same PC from the ASA, that might indicate the PC has a local firewall enabled?

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Post the show run configuration to understand what is configure also give us information on what is PC IP address?

 

make sure end Device Pc have default FW enabled, disable for testing purpose.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@kostasthedelegate 

Do you have same-security-traffic permit inter-interface configured to permit traffic between interfaces with the same security level? This allows traffic flow freely between all same security interfaces without ACLs.

 

If you can ping the ASA from the PC but cannot ping the same PC from the ASA, that might indicate the PC has a local firewall enabled?

Yes the PC FW was enabled.

Disable should be able to work as we expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card