Failed to locate egress interface error after switching to TLSv1 only
I have (had) a working AnyConnect VPN set up with no split tunnelling (U-turning/hairpinning traffic) with dual authentication (certificates and Active Directory credentials), running 8.2.5 code.
I switched the SSL settings over from "Any" to "TLSv1 only " tonight to drop SSLv3 support.
This broke AnyConnect ("AnyConnect is not enabled on the VPN server" error), resolved with a Certificate to SSL VPN Connection Profile Map.
Then I had a SVC not enabled for user error, which required me to disable Clientless SSL VPN Access for the AnyConnectGroup to resolve. (We have AnyConnect Essentials enabled)
Now when I connect as a client with AnyConnect, I can access the inside network and other networks that are on a site-to-site VPN with the ASA I am connecting to, but I can no longer access the Internet.
I get an error as follows:
Failed to locate egress interface for UDP from outside:192.168.10.43/50495 to 22.214.171.124/1900
I can't figure this one out. Any help would be much appreciated. Here are the relevant portions of my config:
access-list vpn-access-out extended permit ip 192.168.10.0 255.255.255.0 any
This change allows the packet all the way through the vpn and out to the internet with the ip of the outside interface via packet tracer but doesn't resolve the problem.
When I attempt to connect to the internet now, I get the same failed to locate egress interface error.
I'm also noticing a bunch of these: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.10.43/137 dst outside:192.168.10.255/137 denied due to NAT reverse path failure
I had these previously (although not nearly as many log entries) but ignored them because everything was working fine.
Actually now that I test it again via packet tracer, now it's being dropped at step WEBVPN-SVC (Flow is denied by configured rule)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :