Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Routing failed to locate next hop

Hello All,

When trying to access my web server inside the dmz I'm getting the following message in the syslog and the connection fails:

Routing failed to locate next hop for TCP from outside: to dmz:

Appreciate any help with this.....


Accepted Solutions

Re: Routing failed to locate next hop

could you please post relevant config?


Re: Routing failed to locate next hop

What is your IOS Software version and release?

I am not exactly sure Prior to which version , but in some software releases you should add static routes for the Hosted Webserver in the DMZ pointed to the DMZ Interface besides OFFcourse having your Nat correctly Configured with the appropriate Interface Access-list to permit the traffic from Outside to DMZ.




Re: Routing failed to locate next hop

could you please post relevant config?

Community Member

Re: Routing failed to locate next hop

IU was able to fix that prior problem but maybe you can help with this one.

If I use outlook to send or receive email from inside vlan through outside vlan I get the folling syslog message:

6 Jan 24 2009 16:32:36 106015 Deny TCP (no connection) from to xx.yyy.121.101/1502 flags RST ACK on interface outside

xx.yyy.121.101 is my outside IP address is the roadrunner mail provider which I send mail through.

If I send mail from outside It is received by my mail server in the dmz vlan.

My Config:

ciscoasa> ena


ciscoasa# show run

: Saved


ASA Version 7.2(4)


hostname ciscoasa


enable password :*** Removed by me ***encrypted

passwd :*** Removed by me ***.:*** Removed by me ***encrypted



interface Vlan1

nameif inside

security-level 100

ip address

ospf cost 10


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10


interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4

switchport access vlan 3


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS


access-list outside_access_in extended permit tcp any host xx.yyy.121.101

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1

static (dmz,outside) tcp interface www www netmask

static (dmz,outside) tcp interface smtp smtp netmask

static (dmz,outside) tcp interface pop3 pop3 netmask

static (inside,dmz) netmask

static (dmz,inside) netmask

access-group outside_access_in in interface outside

route outside xx.yyy.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context

Cryptochecksum:*** Removed by me ***

: end

Thanks in advance.....


Re: Routing failed to locate next hop

Is your outside address? If so, I was able to access www, smtp and pop3.


CreatePlease to create content