cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
49459
Views
31
Helpful
3
Replies

Failed to locate egress interface...

Patrick Tran
Level 1
Level 1

Hi,

I configured a Lan 2 Lan VPN and it works fine.

VPN use IKEv2 and certificate authentication.

Lan2Lan.jpg

Computer 1 can join Computer 2 without problem.

From computer 1, I tried to access to IP inside 2 (ping, ASDM...) but I get this error: Failed to locate egress interface

I don't understand why I can access to IP Computer 2 but not to IP inside 2 Those 2 IPs are on same network and packets are pass through same devices...

How can I solve this problem?

Thanks for your help,

Patrick

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.

Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.

So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command

management-access

Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1

There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.

Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.

So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command

management-access

Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1

There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.

- Jouni

Hi Jouni,

Thanks for your quick answer

I use 2 Cisco ASA 5515-X on 9.1(2) version

Your solution works great !

I saw the management-access option but I didnt think that it will unblock ping

Thanks again,

Patrick

I have the same scenario. But the thing is I use computer1 to access both of the ASA firewall by SSH. I use IP outside2 to access the second firewall. Now If I use the management-access command in the IP Inside2 interface then am I going to loose the SSH connectivity from the Computer 1 to the IP outside 2 of the second ASA firewall?

 

Thanks,