Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
3
Replies

Management interface

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎04-02-2009 07:04 AM - edited ‎03-11-2019 08:13 AM

I've configured the management interface on our ASA 5550. The address is 192.168.254.5 and it's next hop is .1 (vlan 254 on 3750).

I can ping the management interface fine from my laptop (10.128.100.75), but I can't telnet to the device on the management interface and it gives the following error:

%ASA-6-110003: Routing failed to locate next hop for TCP from management:192.168.254.5/23 to management:John-Blakley/2223

I can't add the route as "route management 10.128.100.0 255.255.255.0 192.168.254.1" because it says that it overlaps with an existing route. The 10.128.100.0 subnet will be exiting out of the inside interface.

What have I missed?

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2009 07:30 AM

John

You could try adding a specific route for your laptop out of the management interface but then that would break your Internet access from your laptop.

Problem is telnet is stateful TCP - so the packet enters the ASA on the management interface but then the ASA cannot find a route back to your laptop via that same interface so it drops it.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2009 07:30 AM

John

You could try adding a specific route for your laptop out of the management interface but then that would break your Internet access from your laptop.

Problem is telnet is stateful TCP - so the packet enters the ASA on the management interface but then the ASA cannot find a route back to your laptop via that same interface so it drops it.

Jon

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎04-02-2009 07:32 AM

Jon,

I figured out that I won't be able to do that. I guess having a management interface on a different subnet means that you should have a system on that same subnet dedicated for that purpose alone.

Thanks!

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
maldavis3697
Level 1
Level 1

‎04-02-2009 07:52 AM

I'm not sure if this is workable in your situation but if your IT department works on a particular subnet that's smaller than the 10.128.100.0/24 subnet you could put that in to exit the management interface.

We had a similar problem with setting up our management interface on our ASA recently. We have a route through the inside interface that was for 10.0.0.0/8 but we were also able to put in a smaller subnet (10.10.5.0/28) to exit the management interface just for the IT department. It might be a good idea to define a route for a smaller subnet to the IT department anyways as a security precaution.

This worked for us and then traffic that went in the management interface knew how to get back out. I didn't get the exact error you got but then I didn't try to telnet to the ASA. Let me know if this works for you. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card