Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4954
Views
22
Helpful
5
Replies

What is ASA Error message "Through-the-device packet to/from nve-only network is denied"?

pematthe
Level 1
Level 1

‎05-15-2017 02:10 AM - edited ‎03-12-2019 02:21 AM

I have an ASA which, for one subnet only, will not pass traffic.  Configuration is consistent between a number of working interfaces with only the IP network and VLAN being different.  Same physical interface with only sub-interfaces and IP ranges being different.

When tracing the client I receive this error message:

781001    Through-the-device packet to/from nve-only network is denied: udp src IOT_DEVICES:x.x.x.x/55465 dst outside:8.8.8.8/53

I cannot find any reference of Syslog error 781001 or what the nve-only interface is.

FYI - ASA 5516, OS - 9.6(1) with firepower v6.1 but no traffic passed through the module.  

Labels:
0 Helpful
5 Replies 5

pematthe
Level 1
Level 1

‎05-15-2017 02:40 AM

I fixed my problem but would still like to know what the syslog message means.

I fixed it by deleting and then re-entering the interface configuration.  Same config!  Must have been a glitch in the ASA.  

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pematthe

‎05-15-2017 05:01 AM

It does sound like a bug.

An nve is a network virtualzalization interface (i.e. VXLAN Tunnel Endpoint). Did somebody  possibly configure and then unconfigure XLAN on the interface at one point?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/interface-vxlan.html

roberthillcoat
Level 1
Level 1

‎05-02-2018 09:28 AM

I had the exact same error, the NVE interface is related to the VTEP configuration on the physical interface. 

 

If you uncheck the VTEP source interface box under the interface configuration you will resolve the issue. 

 

 

netwerk@is.nl
Level 1
Level 1

‎07-21-2021 05:16 AM - edited ‎07-21-2021 05:17 AM

Same packet here in the log:

Through-the-device packet to/from management-only network is denied: icmp src management:10.x.y.5 dst management:10.c.d.221

Reason:
We had two different devices (firewalls) both using contexts. On both of the management interfaces on the contexts, the management interfaces had exáctly the same mac address.
Chances maybe one in a million, but it happened....
Causing packets to be send to the management interface of the other context (10.c.d.221)

Solution:
Remove the management interface, and rebuild interface including it's configuration, et voila.

kosmic
Level 1
Level 1
In response to netwerk@is.nl

‎10-23-2024 07:23 PM

Just ran into this exact issue tonight.  Someone on my team recently enabled "mac-address auto."  That coupled with a power outage, and we were seeing this error log and the MACs being the same.  Only 1 IP would be reachable, and typically it was the IP of the slave unit.  This fix worked for us, thanks.

Note: if you delete the interface, all associated config such as AAA and traps will also be removed.  Make sure to get a plaintext backup of the config before.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card