Routing failed to locate next hop for icmp from NP Identity

Unanswered Question
May 13th, 2010
User Badges:

Iam configuring Site to Site tunnel between ASA 5505.

My topology:   10.77.59.0 ==Lan==|ASA1|=========|ASA2|==192.168.1.0

  and  One more tunnel bw

192.168.1.0==|ASA2|=====|Draytek|==192.168.16.0

  Both the tunnel is up any from inside PC i can ping any PC in both the ASA and Draytek  network

  From ASA2 iam not able to ping any Lan ips (even when source interface specifed)

ie,  From ASA1 i can ping 192.168.1.1(inside interface of ASA2) and i got reply

From Draytek i can ping any lan ip and iam getting reply

From ASA2 i can't ping 10.77.59.9(inside interface of ASA1) or other Tunnel to Draytek (Lan ip 192.168.16.1)

when i check the log it shows the error:


  6     May 13 2010     08:04:14     110003     192.168.1.1     0     0     192.168.16.1     Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.1.1/0 to inside:192.168.16.1/0


It seems like routing issue but iam not able to understand

This is my Config:for routing

ASA01# sh asp table routing  in   255.255.255.255 255.255.255.255 identity

in   127.0.0.1       255.255.255.255 identity

in   10.77.59.9      255.255.255.255 identity

in   WAN ip  255.255.255.255 identity

in   WAN ip  255.255.255.240 outside

in   10.77.59.0      255.255.255.192 inside

in   192.168.1.0 255.255.255.0   outside

in   0.0.0.0         0.0.0.0         outside

out  255.255.255.255 255.255.255.255 outside

out  WAN ip  255.255.255.240 outside

out  192.168.1.0 255.255.255.0   via 192.168.1.1, outside

out  224.0.0.0       240.0.0.0       outside

out  0.0.0.0         0.0.0.0         via WAN ip, outside

out  255.255.255.255 255.255.255.255 inside

out  10.77.59.0      255.255.255.192 inside

out  224.0.0.0       240.0.0.0       inside

out  255.255.255.255 255.255.255.255 _internal_loopback

out  224.0.0.0       240.0.0.0       _internal_loopback

out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity

out  ::              ::              via 0.0.0.0, identity

Gateway of last resort is WAN ip to network 0.0.0.0


Sh ip route:

C    10.77.59.0 255.255.255.192 is directly connected, inside

C    123.238.10.144 255.255.255.240 is directly connected, outside

S    192.168.1.0 255.255.255.0 [1/0] via 192.168.1.1, outside

S*   0.0.0.0 0.0.0.0 [1/0] via WAN ip, outside 


ciscoasa2# sh asp table routing

in   255.255.255.255 255.255.255.255 identity

in   127.0.0.1       255.255.255.255 identity

in   192.168.1.1     255.255.255.255 identity

in   WAN ip   255.255.255.255 identity

in   WAN ip   255.255.255.248 outside

in   10.77.59.0           255.255.255.192 outside

in   192.168.1.0     255.255.255.0   inside

in   Draytek         255.255.255.0   outside

in   0.0.0.0         0.0.0.0         outside

out  255.255.255.255 255.255.255.255 outside

out  WAN ip   255.255.255.248 outside

out  10.77.59.0           255.255.255.192 via 10.77.59.9, outside

out  Draytek         255.255.255.0   via 192.168.16.1, outside

out  224.0.0.0       240.0.0.0       outside

out  0.0.0.0         0.0.0.0         via WAN ip, outside

out  255.255.255.255 255.255.255.255 inside

out  192.168.1.0     255.255.255.0   inside

out  224.0.0.0       240.0.0.0       inside

out  255.255.255.255 255.255.255.255 _internal_loopback

out  224.0.0.0       240.0.0.0       _internal_loopback

out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity

out  ::              ::              via 0.0.0.0, identity


  Any help please

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 05/14/2010 - 01:53
User Badges:
  • Cisco Employee,

Can you share configuration on both ASA?


Also, pls make sure that you have "management-access inside" on ASA1, and also "inspect icmp" on both ASA1 and ASA2.

patdurante Fri, 11/18/2011 - 06:41
User Badges:

Man, you just helped me resolve a 3 day issue with a site to site VPN.  Thanks for the tip about management-access inside. 

Actions

This Discussion