topic Re: routing failed to locate next hop for TCP - Anyconnect in Network Security

routing failed to locate next hop for TCP - Anyconnect

Psmurali89 — Sun, 07 Apr 2024 14:10:09 GMT

Hi All,

I configured anyconnect vpn in ASA and its working ok. I enabled ASDM access in inside interface (10.10.50.254). After connecting to VPN, i tried to ping and connect to ASDM on 10.10.50.254 but its not working and i get "routing failed to locate next hop for TCP" in the logs. I configured access rules, NAT etc and also when i do route print in laptop i can see this inside subnet. Am not sure this even supposed to work, if not how do i connect to firewall ASDM or SSH via anyconnect vpn? if i connect a PC in subnet (10.10.50.11), i can ofcourse connect to ASDM. Also, i can ping this PC after connecting to anyconnect vpn (192.168.40.11), its just the inside interface i cant able to connect/ping. I dont see any traffic hitting the access rules either, i believe its most likely the NAT issue but i tried few ways of doing it but nothing working. Any help is much appreciated.

Below is the config.

ASA Version 9.12(4)40
!
hostname Home-Fw
domain-name Home-Fw.local
ip local pool Home-Fw 192.168.40.10 - 192.168.40.50 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
pppoe client vpdn group BT-PoE
ip address pppoe setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 10.10.50.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif Wi-Fi
security-level 90
ip address 192.168.1.10 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name Home-Fw.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Network
subnet 10.10.50.0 255.255.255.0
object network Wi-Fi
subnet 192.168.1.0 255.255.255.0
object network VPN
subnet 192.168.40.0 255.255.255.0
object network Inside
subnet 10.10.50.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 10.10.50.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 10.10.50.0 255.255.255.0 any
access-list Wi-Fi_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Home-Fw standard permit 10.10.50.0 255.255.255.0
access-list Home-Fw standard permit 192.168.10.0 255.255.255.0
access-list Home-Fw standard permit 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit ip object VPN object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu Wi-Fi 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131 -101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Outside,inside) source static VPN VPN destination static Inside Inside no-proxy-arp
!
object network Inside-Network
nat (inside,Outside) dynamic interface
object network Wi-Fi
nat (Wi-Fi,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group Wi-Fi_access_in in interface Wi-Fi
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.10.0 255.255.255.0 management
http 10.10.50.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 Wi-Fi
http 192.168.40.0 255.255.255.0 Outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 10.10.50.0 255.255.255.0 inside
console timeout 0
vpdn group BT-PoE request dialout pppoe
vpdn group BT-PoE localname
vpdn group BT-PoE ppp authentication chap
vpdn username user password *****
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 192.168.1.65- 192.168.1.250 Wi-Fi
dhcpd enable Wi-Fi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
http-headers
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.01095-webdeploy-k9.pkg 1
anyconnect profiles Home-Fw disk0:/Home-Fw.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy Home-Fw internal
group-policy Home-Fw attributes
dns-server value 8.8.8.8
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Home-Fw
webvpn
anyconnect profiles value Home-Fw type user
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
username user1d password ***** pbkdf2 privilege 15
username user1 password ***** pbkdf2 privilege 15
tunnel-group Home-Fw type remote-access
tunnel-group Home-Fw general-attributes
address-pool Home-Fw
default-group-policy Home-Fw
tunnel-group Home-Fw webvpn-attributes
group-alias Home-Fw enable
!
class-map inspection_default
match default-inspection-traffic
!
!

Re: routing failed to locate next hop for TCP - Anyconnect

Rob Ingram — Sun, 07 Apr 2024 14:10:20 GMT

@Psmurali89 to allow management of the ASA over a VPN you need to use the management-access <interface name> command.

"If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface"

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf

Re: routing failed to locate next hop for TCP - Anyconnect

Psmurali89 — Sun, 07 Apr 2024 16:55:27 GMT

Thank you, I have made the changes but i still cant able to ping or use ASDM on inside interface after connecting to anyconnect vpn. It still says "routing failed to locate next hop for TCP". Not sure what am missing here.

Home-FW# sh run | i management-acc
management-access inside
Home-FW#

Home-FW# sh run | i nat
nat (inside,Outside) source static Inside Inside destination static VPN VPN
nat (inside,Outside) dynamic interface
nat (Wi-Fi,Outside) dynamic interface

Re: routing failed to locate next hop for TCP - Anyconnect

Rob Ingram — Sun, 07 Apr 2024 17:03:27 GMT

@Psmurali89 enable http access from the VPN to the inside interface.

http 192.168.40.0 255.255.255.0 inside

Re: routing failed to locate next hop for TCP - Anyconnect

Psmurali89 — Sun, 07 Apr 2024 18:22:07 GMT

Unfortunately its still the same. I cant ping, browse or connect via ASDM. Does the NAT rule looks ok? When i ping 10.10.50.254 from laptop, I cant even see the hits in Outside incoming access rule.

# sh run | i http
aaa authentication http console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 management
http 10.10.50.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 Wi-Fi
http 92.40.190.7 255.255.255.255 Outside
http 192.168.40.0 255.255.255.0 inside

Route Print from laptop:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.204.111 192.168.204.210 55
8.8.8.8 255.255.255.255 192.168.40.1 192.168.40.11 2
10.10.50.0 255.255.255.0 192.168.40.1 192.168.40.11 2

192.168.1.0 255.255.255.0 192.168.40.1 192.168.40.11 2
192.168.10.0 255.255.255.0 192.168.40.1 192.168.40.11 2
192.168.40.0 255.255.255.0 On-link 192.168.40.11 257
192.168.40.11 255.255.255.255 On-link 192.168.40.11 257

Re: routing failed to locate next hop for TCP - Anyconnect

Psmurali89 — Thu, 18 Apr 2024 14:12:20 GMT

Hi All,

Any suggestion on how to fix this issue please?

Re: routing failed to locate next hop for TCP - Anyconnect

tvotna — Thu, 18 Apr 2024 15:03:08 GMT

I have two ideas:

nat (inside,Outside) source static Inside Inside destination static VPN VPN no-proxy-arp route-lookup

"route-lookup" is typically a must in this scenario, although ASA behavior changed many times. Refer to CSCtr16184. Also, I never remember what needs to be configured here:

http 192.168.40.0 255.255.255.0 inside

http 192.168.40.0 255.255.255.0 Outside

Secondly, if above doesn't help, the issue might be due to PPPoE. Believe you or not, routing in the control-plane is implemented differently for ethernet and PPPoE interfaces. If this is the case, there is no workaround. But I hope that adding "route-lookup" will resolve the issue.