Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2748
Views
0
Helpful
6
Replies

Routing failed to locate next hop for TCP from outside:

yuchenglai
Level 1
Level 1

‎12-10-2008 06:00 AM - edited ‎03-11-2019 07:24 AM

I have a vendor who uses an ASA at his end to build VPN tunnel to us. He gets the following error when he attempts to send traffic to us through the VPN tunnel. One thing to point out is that I am able to see his syn packet come to the destination host located behind my side of the tunnel as well seeing as the syn, ack packet but never seeing the return ack packet. The appliance at the other end of the tunnel generated this error in their ASDM:

Routing failed to locate next hop for TCP from outside:our host:our port to inside: their host: their port.

My thinking is that the TCP SYN,ACK is not getting to their host explaining why the last ACK of the TCP 3way handshake is never seen at my side.

Any comments would be appreciated

Labels:
0 Helpful
6 Replies 6

John Blakley
VIP Alumni
VIP Alumni

‎12-10-2008 06:40 AM

I'm assuming this is ASA --> ASA? On both ends, the ACL that's on the outside interface needs to allow esp, udp 500, and (possibly) AH through the firewall.

So if their public IP is 5.5.5.5, your ACL would be:

access-list VPN permit udp host 5.5.5.5 host eq isakmp

access-list VPN permit esp host 5.5.5.5 host

access-list VPN permit ah host 5.5.5.5 host

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

yuchenglai
Level 1
Level 1
In response to John Blakley

‎12-10-2008 08:06 AM

Nortel on my end, ASA on their end. I will suggest that to them and see if that helps.

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to yuchenglai

‎12-10-2008 08:13 AM

Make sure you don't have PFS set on either side also.

John

HTH, John *** Please rate all useful posts ***
0 Helpful

yuchenglai
Level 1
Level 1
In response to John Blakley

‎12-12-2008 08:26 AM

John,

From what I understand, this is sounding more like IPSec than a route issue?

0 Helpful

husycisco
Level 7
Level 7
In response to yuchenglai

‎12-12-2008 09:48 AM

Hello Yu-Cheng,

Can you ask remote end if they have more than 1 interfaces facing internet with public IPs, and ask if they already have a route for for your subnet to somewhere else (maybe they have a site-to-site vpn with another company that has the same subnet with yours, or an internal network routed inside)

Also please ask them to run "debug crypto isakmp" and "debug crypto ipsec" and let them send you the output for you to paste here.

Regards

0 Helpful

yuchenglai
Level 1
Level 1
In response to husycisco

‎12-15-2008 06:13 PM

It turns out that this problem has been resolved by fixing a route problem on at the distant end controlled by the vendor. As the syslog message suggested they forgot to create a route on their border router/VPN Device to their newly created DMZ.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card