Routing failed to locate next-hop

Unanswered Question
Sep 30th, 2008
User Badges:

Have an ASA, running 8.04, with a L2L VPN tunnel built. The ASA has two interfaces with there subnets supposed to enter the tunnel if destined to 192.168.0.0 /24


interface 1 - 192.168.3.0 /24

Interface 2 - 10.12.37.0 /24


Hosts from interface one can successfully reach devices on the subnet 192.168.0.x as expected.


However hosts on interface 2 cannot. In troubleshooting I can see the icmp replies coming back into the ASA but then my ASA reports this error and drops the replies:


Routing failed to locate next-hop for ICMP from OUTSIDE:192.168.0.252/0 to INSIDE:10.12.37.252/512


The syslog message is code 110003, which is defined as:


Recommended Action Copy the error message, the configuration, and any details about the events

leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing

command to view the routing table details.


The ASP routing table appears fine. The only difference between the two interfaces beside the physical is the security level, but the same sec command is present.


Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Tue, 09/30/2008 - 09:36
User Badges:
  • Cisco Employee,

Tom,


Based upon the description and log message, it looks like the ASA is trying to route the packets to the wrong interface.


Meaning, if 10.12.37.0/24 is located on Interface 2 (Ex DMZ), why is the ASA trying to send the packets to the INSIDE Interface.


I have seen this issue in the past if there is misconfiguration with the NAT 0 commands. For example, when you have nat (dmz) 0 0.0.0.0 0.0.0.0


If you have the above configuration, can you configure more specific NAT 0 command and do the testing.


Regards,

Arul


** Please rate all helpful posts **

whisperwind Tue, 09/30/2008 - 09:51
User Badges:

Thank you Arul, here is what I have:


global (OUTSIDE) 1 interface

nat (STATE) 0 access-list NONAT

nat (STATE) 1 10.12.37.0 255.255.255.0

nat (INSIDE) 0 access-list NONAT

nat (INSIDE) 1 192.168.3.0 255.255.255.0


access-list NONAT extended permit ip 10.12.37.0 255.255.255.0 object-group PRIONE-SUBNETS

access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 object-group PRIONE-SUBNETS


object-group network PRIONE-SUBNETS

network-object 192.168.0.0 255.255.255.0


ajagadee Tue, 09/30/2008 - 09:59
User Badges:
  • Cisco Employee,

Is there anyway you can separate the NONAT Commands. Meaning, like this


nat (STATE) 0 access-list NONATSTATE

nat (INSIDE) 0 access-list NONATINSIDE


access-list NONATSTATE extended permit ip 10.12.37.0 255.255.255.0 object-group PRIONE-SUBNETS


access-list NONATINSIDE extended permit ip 192.168.3.0 255.255.255.0 object-group PRIONE-SUBNET


Regards,

Arul


** Please rate all helpful posts **

whisperwind Tue, 09/30/2008 - 10:09
User Badges:

Made the change, cleared the xlates, no change, still failing with same error message

ajagadee Tue, 09/30/2008 - 11:10
User Badges:
  • Cisco Employee,

Very Interesting. For some reason, it looks like the ASA is still trying to route through the wrong interface. Can you post the configuration of the ASA.


If not, post the below configuration and outputs


Inside Interface Configuration

DMZ Interface Configuration

Routing Table - Show route

NAT Commands - After you made the changes

Static NAT

Log Message


Regards,

Arul


Actions

This Discussion