Failed to locate egress interface...

Answered Question
Sep 6th, 2013
User Badges:

Hi,


I configured a Lan 2 Lan VPN and it works fine.

VPN use IKEv2 and certificate authentication.

Lan2Lan.jpg


Computer 1 can join Computer 2 without problem.


From computer 1, I tried to access to IP inside 2 (ping, ASDM...) but I get this error: Failed to locate egress interface

I don't understand why I can access to IP Computer 2 but not to IP inside 2 Those 2 IPs are on same network and packets are pass through same devices...


How can I solve this problem?


Thanks for your help,


Patrick

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.


Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.


So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command


management-access


Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1


There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Fri, 09/06/2013 - 03:50
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.


Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.


So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command


management-access


Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1


There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.


- Jouni

Patrick Tran Fri, 09/06/2013 - 04:01
User Badges:

Hi Jouni,


Thanks for your quick answer

I use 2 Cisco ASA 5515-X on 9.1(2) version


Your solution works great !

I saw the management-access option but I didnt think that it will unblock ping


Thanks again,


Patrick

Actions

This Discussion