cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
1
Replies

ASA 5510 Upgrade from 9.0 to 9.1.7.20 "Routing failed to locate next hop for ICMP from DMZ"

David Harrell
Beginner
Beginner

Hello all,

 

I am hoping someone else has seen this issue, and can provide some insight. We performed the above mentioned upgrade and have since lost icmp traffic from our DMZ to the outside.  All icmp traffic passes fine from the inside->outside, or inside->DMZ. All icmp originating from the DMZ fails, and produces the following logging message:

 

6 Feb 01 2018 12:19:39 110003 192.168.3.144 46341 8.8.8.8 0 Routing failed to locate next hop for ICMP from DMZ:192.168.3.144/46341 to inside:8.8.8.8/0

 

Obviously, 8.8.8.8 is not on our inside network, and we experienced no issues before the upgrade to 9.1.7.20. Below are the relevant nat rules, and we are allowing icmp/echo,echo-reply,information-reply, and information-request in/out of the DMZ, in/out of OUTSIDE, and into INSIDE.

 

object network nat-Columbia-Ironport-DMZ
host 192.168.3.144

 

object network nat-Columbia-Ironport-DMZ
nat (DMZ,outside) static 74.4.20.144

1 Reply 1

David Harrell
Beginner
Beginner

Ended up downgrading back to 9.04 and restoring a pre-upgrade config. Issue appeared resolved, but has since returned.

 

The only traffic affected is the DMZ.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: