Tag Archives: nat

ASA 8.4 – no valid adjacency

I recently went through the process of upgrading a customer’s ASA from 7.2 to 8.4 code.  After the upgrade was finished, I noticed that internet access for my VPN users coming in over a full-tunnel connection was failing.  The debugging I did led me to seeing TCP connections being torn down due to “no valid adjacency.”  This was caused by a NAT rule sourcing from any destined for my VPN subnet. Based on looking at the configuration, I believe the NAT rule was used to NAT exempt internal network traffic to the VPN users.

In the examples below, these are the object groups:

object-group network Inside_LAN
network-object 10.1.1.0 255.255.255.0

object-group network VPN_Clients
network-object 10.1.250.0 255.255.255.0

The NAT rule causing the problem was:

nat (inside,any) source static any any destination static VPN_Clients VPN_Clients

I fixed the issue by setting up a more restricted NAT rule:

nat (inside,any) source static Inside_LAN Inside_LAN destination static VPN_Clients VPN_Clients

ASA 8.3+ Asymmetric NAT rules matched for forward and reverse flows

For site-to-site (L2L) VPN connections, you may see the following error message on 8.3(2) and later configurations:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:x.x.x.x/3214 dst inside:y.y.y.y/80 denied due to NAT reverse path failure

This is due to the unidirectional keyword setup on your NAT configuration that was migrated incorrectly. If you upgraded from 8.2 code directly to 8.3(2) and did not go to 8.3(1) first, the NAT migrations will tag a unidirectional keyword on all the NAT rules which will essentially only allow one-way traffic initiated only from the source side.

Your configuration will look something like this:

nat (inside,any) source static obj-x.x.x.x obj-x.x.x.x destination static obj-y.y.y.y obj-y.y.y.y unidirectional

Simply remove the unidirectional keyword to make your configuration look like the following and you will be good to go.

nat (inside,any) source static obj-x.x.x.x obj-x.x.x.x destination static obj-y.y.y.y obj-y.y.y.y