cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1449
Views
0
Helpful
3
Replies

Failed to locate egress interface error after switching to TLSv1 only

Jason Lista
Level 1
Level 1

I have (had) a working AnyConnect VPN set up with no split tunnelling (U-turning/hairpinning traffic) with dual authentication (certificates and Active Directory credentials), running 8.2.5 code.

I switched the SSL settings over from "Any" to "TLSv1 only " tonight to drop SSLv3 support.

This broke AnyConnect ("AnyConnect is not enabled on the VPN server" error), resolved with a Certificate to SSL VPN Connection Profile Map.

Then I had a SVC not enabled for user error, which required me to disable Clientless SSL VPN Access for the AnyConnectGroup to resolve. (We have AnyConnect Essentials enabled)

Now when I connect as a client with AnyConnect, I can access the inside network and other networks that are on a site-to-site VPN with the ASA I am connecting to, but I can no longer access the Internet. 

I get an error as follows:

Failed to locate egress interface for UDP from outside:192.168.10.43/50495 to 239.255.255.250/1900

I can't figure this one out.  Any help would be much appreciated.  Here are the relevant portions of my config:

(Inside network is 192.168.0.0/24,

anyconnect network is 192.168.10.0/24,

site-site VPN network is 192.168.2.0/24)

--------------------------------------------------------------------------------------


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
access-list outside_nat0 extended permit ip 192.168.10.0 255.255.255.0 any

ip local pool AnyConnectPool 192.168.10.2-192.168.10.254 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 vpn-network 255.255.255.0
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

ssl server-version tlsv1-only
ssl client-version tlsv1-only
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 svc profiles CORP_AnyConnectProfile disk0:/anyconnect_client.xml
 svc enable
 tunnel-group-list enable
 certificate-group-map AnyConnectCertificateMap 10 AnyConnectGroup
group-policy AnyConnectGrpPolicy internal
group-policy AnyConnectGrpPolicy attributes
 wins-server none
 dns-server value X.X.X.X, X.X.X.X
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec svc
 split-tunnel-policy tunnelall

default-domain value xxxx.xxxxx.xxxxx
 address-pools value AnyConnectPool
tunnel-group AnyConnectGroup type remote-access
tunnel-group AnyConnectGroup general-attributes
 address-pool AnyConnectPool
 authentication-server-group SERVER1_AD
 default-group-policy AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
 authentication aaa certificate
 group-alias _AnyConnect enable

3 Replies 3

Jason Lista
Level 1
Level 1

Following the packet tracer, with the VPN traffic originating on the outside:

packet-tracer input outside tcp 192.168.10.43 1065 4.2.2.2 80

dropped the traffic on access-list.

I added the following rule:

access-list vpn-access-out extended permit ip 192.168.10.0 255.255.255.0 any

This change allows the packet all the way through the vpn and out to the internet with the ip of the outside interface via packet tracer but doesn't resolve the problem.

 

When I attempt to connect to the internet now, I get the same failed to locate egress interface error. 

I'm also noticing a bunch of these: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.10.43/137 dst outside:192.168.10.255/137 denied due to NAT reverse path failure

I had these previously (although not nearly as many log entries) but ignored them because everything was working fine.

 

Actually now that I test it again via packet tracer, now it's being dropped at step WEBVPN-SVC (Flow is denied by configured rule)

I'm still struggling with this, but I have realized it may not be a NAT issue after all.

 

If I try to access a website using the AnyConnect client using the domain name, it doesn't load.  HOWEVER if I try to access it via IP address, it works just fine.

 

So now I have to figure out why the changes I have made broke DNS for the AnyConnect clients.

I added "split-dns value x.x.x.x y.y.y.y" to the AnyConnectGrpPolicy attributes to resolve this problem.