Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Failed to locate egress interface...

Hi,

I configured a Lan 2 Lan VPN and it works fine.

VPN use IKEv2 and certificate authentication.

Lan2Lan.jpg

Computer 1 can join Computer 2 without problem.

From computer 1, I tried to access to IP inside 2 (ping, ASDM...) but I get this error: Failed to locate egress interface

I don't understand why I can access to IP Computer 2 but not to IP inside 2 Those 2 IPs are on same network and packets are pass through same devices...

How can I solve this problem?

Thanks for your help,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Failed to locate egress interface...

Hi,

I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.

Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.

So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command

management-access

Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1

There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.

- Jouni

2 REPLIES
Super Bronze

Failed to locate egress interface...

Hi,

I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.

Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.

So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command

management-access

Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1

There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.

- Jouni

New Member

Failed to locate egress interface...

Hi Jouni,

Thanks for your quick answer

I use 2 Cisco ASA 5515-X on 9.1(2) version

Your solution works great !

I saw the management-access option but I didnt think that it will unblock ping

Thanks again,

Patrick

12201
Views
0
Helpful
2
Replies