Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
1
Replies

ASA: Unable to ping out of secondary outside interface

Group IT
Level 1
Level 1

‎08-16-2017 09:59 AM - edited ‎03-12-2019 02:49 AM

Hello,
Please could someone kindly point me in the right direction for configuring our ASA to successfully ping out of a secondary internet connection?
ASA 5515 9.3(3)7
We have an existing outside (internet) interface:
    • ASA interface Name: 'BTnet' on Gi0/0
    • ASA Gi0/0 Address: x.x.1.202 / 255.255.255.248
    • ISP router's inside interface address: x.x.1.201
    • ASA Static route: BTnet 0.0.0.0/0.0.0.0 GW: x.x.1.201 metric: 5
If I use the ADSM ping tool to ping the ISP router or 8.8.8.8 (or 8.8.4.4), the ping works fine.
All happy days.
Now, we have just had a secondary internet line installed by the same ISP, and I am doing basic testing. Similar setup:
    • ASA interface Name 'BTnet_2' on Gi0/4
    • ASA Gi0/4 Address: x.x.2.50 / 255.255.255.248
    • ISP router's inside interface address: x.x.2.49
    • Another ASA static route added: BTnet_2 0.0.0.0/0.0.0.0 GW: x.x.2.49 metric: 8
If I use the ping tool again, to ping the new ISP router, it pings fine. But, if I try to ping further (8.8.8.8/8.8.4.4) it fails, and I get the following in the ASA log:
6 Aug 16 2017 17:33:05 110003 Ifc 8.8.4.4 0 Routing failed to locate next hop for icmp from NP Identity Ifc:x.x.2.50/0 to BTnet_2:8.8.4.4/0
I'll be honest, I don't really understand what the error is telling me, other than it failed. How can it fail to find the next hop for 8.8.4.4 when I have a static route for 'everything' (0.0.0.0) on BTnet_2 interface to use the ISP router (x.x.2.49)? Why is it apparently ignoring my route?
If I add a static route to 8.8.4.4 as follows, then the ping (via BTnet_2) works:
BTnet_2 8.8.4.4/255.255.255.255 GW: x.x.2.49 metric: 1
What am I misunderstanding? How can I get the ping to work without creating a specific static route to 8.8.4.4?
Please let me know what further information you may need to guide me.
Thanks for reading.
Best Regards,
Elliot
Labels:
0 Helpful
1 Reply 1

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎08-16-2017 09:01 PM

Hi Elliot,

As a thumb rule, ASA will always use the default route with lower metric value. Your configuration has:

BTnet 0.0.0.0/0.0.0.0 GW: x.x.1.201 metric: 5
BTnet_2 0.0.0.0/0.0.0.0 GW: x.x.2.49 metric: 8

The preferred route in this case is : BTnet 0.0.0.0/0.0.0.0 GW: x.x.1.201 (since it has metric 5)

So when a packet is destined to 8.8.4.4, by default, the route that is taken is via BTnet interface since it has a lower metric.

But when you source a ping packet from BTnet_2, it also tries to use the default route which is associated with BTnet interface and since  BTnet_2  doesn't know how to reach x.x.1.201, it throws the error 

Routing failed to locate next hop

i.e. routing on ASA failed to locate the next hop(x.x.1.201) since it doesn't lie in the same network range of the address associated with BTnet_2  (x.x.2.50/29)

Summary:
If you source ping from BTnet, it will work:
e.g. ping BTnet 8.8.4.4

but if you source ping from BTnet_2, it won't.
e.g. ping BTnet_2 8.8.4.4

Hope that helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card