Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
5
Replies

Routing failed to locate next-hop

whisperwind
Level 1
Level 1

‎09-30-2008 09:23 AM

Have an ASA, running 8.04, with a L2L VPN tunnel built. The ASA has two interfaces with there subnets supposed to enter the tunnel if destined to 192.168.0.0 /24

interface 1 - 192.168.3.0 /24

Interface 2 - 10.12.37.0 /24

Hosts from interface one can successfully reach devices on the subnet 192.168.0.x as expected.

However hosts on interface 2 cannot. In troubleshooting I can see the icmp replies coming back into the ASA but then my ASA reports this error and drops the replies:

Routing failed to locate next-hop for ICMP from OUTSIDE:192.168.0.252/0 to INSIDE:10.12.37.252/512

The syslog message is code 110003, which is defined as:

Recommended Action Copy the error message, the configuration, and any details about the events

leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing

command to view the routing table details.

The ASP routing table appears fine. The only difference between the two interfaces beside the physical is the security level, but the same sec command is present.

Any ideas?

Labels:
0 Helpful
5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

‎09-30-2008 09:36 AM

Tom,

Based upon the description and log message, it looks like the ASA is trying to route the packets to the wrong interface.

Meaning, if 10.12.37.0/24 is located on Interface 2 (Ex DMZ), why is the ASA trying to send the packets to the INSIDE Interface.

I have seen this issue in the past if there is misconfiguration with the NAT 0 commands. For example, when you have nat (dmz) 0 0.0.0.0 0.0.0.0

If you have the above configuration, can you configure more specific NAT 0 command and do the testing.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

whisperwind
Level 1
Level 1
In response to ajagadee

‎09-30-2008 09:51 AM

Thank you Arul, here is what I have:

global (OUTSIDE) 1 interface

nat (STATE) 0 access-list NONAT

nat (STATE) 1 10.12.37.0 255.255.255.0

nat (INSIDE) 0 access-list NONAT

nat (INSIDE) 1 192.168.3.0 255.255.255.0

access-list NONAT extended permit ip 10.12.37.0 255.255.255.0 object-group PRIONE-SUBNETS

access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 object-group PRIONE-SUBNETS

object-group network PRIONE-SUBNETS

network-object 192.168.0.0 255.255.255.0

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to whisperwind

‎09-30-2008 09:59 AM

Is there anyway you can separate the NONAT Commands. Meaning, like this

nat (STATE) 0 access-list NONATSTATE

nat (INSIDE) 0 access-list NONATINSIDE

access-list NONATSTATE extended permit ip 10.12.37.0 255.255.255.0 object-group PRIONE-SUBNETS

access-list NONATINSIDE extended permit ip 192.168.3.0 255.255.255.0 object-group PRIONE-SUBNET

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

whisperwind
Level 1
Level 1
In response to ajagadee

‎09-30-2008 10:09 AM

Made the change, cleared the xlates, no change, still failing with same error message

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to whisperwind

‎09-30-2008 11:10 AM

Very Interesting. For some reason, it looks like the ASA is still trying to route through the wrong interface. Can you post the configuration of the ASA.

If not, post the below configuration and outputs

Inside Interface Configuration

DMZ Interface Configuration

Routing Table - Show route

NAT Commands - After you made the changes

Static NAT

Log Message

Regards,

Arul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents