Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Failed to locate egress interface error after switching to TLSv1 only

I have (had) a working AnyConnect VPN set up with no split tunnelling (U-turning/hairpinning traffic) with dual authentication (certificates and Active Directory credentials), running 8.2.5 code.

I switched the SSL settings over from "Any" to "TLSv1 only " tonight to drop SSLv3 support.

This broke AnyConnect ("AnyConnect is not enabled on the VPN server" error), resolved with a Certificate to SSL VPN Connection Profile Map.

Then I had a SVC not enabled for user error, which required me to disable Clientless SSL VPN Access for the AnyConnectGroup to resolve. (We have AnyConnect Essentials enabled)

Now when I connect as a client with AnyConnect, I can access the inside network and other networks that are on a site-to-site VPN with the ASA I am connecting to, but I can no longer access the Internet. 

I get an error as follows:

Failed to locate egress interface for UDP from outside: to

I can't figure this one out.  Any help would be much appreciated.  Here are the relevant portions of my config:

(Inside network is,

anyconnect network is,

site-site VPN network is


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1
access-list outside_nat0 extended permit ip any

ip local pool AnyConnectPool mask
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1

nat (outside) 0 access-list outside_nat0
nat (outside) 1 vpn-network
access-group outside-access-in in interface outside
route outside X.X.X.X 1

ssl server-version tlsv1-only
ssl client-version tlsv1-only
 enable outside
 svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 svc profiles CORP_AnyConnectProfile disk0:/anyconnect_client.xml
 svc enable
 tunnel-group-list enable
 certificate-group-map AnyConnectCertificateMap 10 AnyConnectGroup
group-policy AnyConnectGrpPolicy internal
group-policy AnyConnectGrpPolicy attributes
 wins-server none
 dns-server value X.X.X.X, X.X.X.X
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec svc
 split-tunnel-policy tunnelall

default-domain value xxxx.xxxxx.xxxxx
 address-pools value AnyConnectPool
tunnel-group AnyConnectGroup type remote-access
tunnel-group AnyConnectGroup general-attributes
 address-pool AnyConnectPool
 authentication-server-group SERVER1_AD
 default-group-policy AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
 authentication aaa certificate
 group-alias _AnyConnect enable

New Member

Following the packet tracer,

Following the packet tracer, with the VPN traffic originating on the outside:

packet-tracer input outside tcp 1065 80

dropped the traffic on access-list.

I added the following rule:

access-list vpn-access-out extended permit ip any

This change allows the packet all the way through the vpn and out to the internet with the ip of the outside interface via packet tracer but doesn't resolve the problem.


When I attempt to connect to the internet now, I get the same failed to locate egress interface error. 

I'm also noticing a bunch of these: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: dst outside: denied due to NAT reverse path failure

I had these previously (although not nearly as many log entries) but ignored them because everything was working fine.


Actually now that I test it again via packet tracer, now it's being dropped at step WEBVPN-SVC (Flow is denied by configured rule)

New Member

I'm still struggling with

I'm still struggling with this, but I have realized it may not be a NAT issue after all.


If I try to access a website using the AnyConnect client using the domain name, it doesn't load.  HOWEVER if I try to access it via IP address, it works just fine.


So now I have to figure out why the changes I have made broke DNS for the AnyConnect clients.

New Member

I added "split-dns value x.x

I added "split-dns value x.x.x.x y.y.y.y" to the AnyConnectGrpPolicy attributes to resolve this problem.

CreatePlease to create content