Avatar of Steve Jennings
Steve Jennings

asked on 

Testing an iptables to Cisco ASA conversion -- overcoming "no adjacency" errors

I am in the process of having a vendor convert iptables configurations into ASA FirePower configurations. And I am testing using a couple of methods. I have taken the iptables log (which are primarily DROPs) and extracted IP addrs/ports and fed these into python / scapy code and sent them to the firewall. I have also taken the same extracted IP addrs/ports and turned them into "packet-tracer" command line entries and sent them to the ASA over an SSH connection. I have a limited lab environment, and I am running the ASA config on ESXi and using 2 Ubuntu 18.04 instances to send traffic and CLI requests to the ASA.

For the "packet-tracer" command line stuff, I am getting a LOT of "Drop-reason: (no adjacency) No valid adjacency". And when I create an adjacency (by adding an IP address on the ubuntu instance) I can fix the adjacency issue. But this seems cumbersome and there are far more IP addresses that I need to test than is practical to configure on the ubuntu box.

This would be a scary piece of code . . . but is there an app or can an app be configured (like netcat  or some such) that would respond to arp requests for any IP address? Or are there other reasons the ASA would throw the adjacency error?

I am brand new to the ASA . . . and most of my research on adjacency errors refers to NAT'ing out the wrong interface, and I am not NATing these addresses.

Thanks in advance for the help
Hardware FirewallsCisco

Avatar of undefined
Last Comment
Steve Jennings
Avatar of Steve Jennings
Steve Jennings


Seems as though the issue was my lack of understanding of the ASA. I created a full ASA configuration and now my code works as expected.
Avatar of Steve Jennings
Steve Jennings

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Steve Jennings



Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo