Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
1
Replies

ASA 5510 Upgrade from 9.0 to 9.1.7.20 "Routing failed to locate next hop for ICMP from DMZ"

David Harrell
Level 1
Level 1

‎02-01-2018 09:27 AM - edited ‎02-21-2020 07:16 AM

Hello all,

 

I am hoping someone else has seen this issue, and can provide some insight. We performed the above mentioned upgrade and have since lost icmp traffic from our DMZ to the outside.  All icmp traffic passes fine from the inside->outside, or inside->DMZ. All icmp originating from the DMZ fails, and produces the following logging message:

 

6 Feb 01 2018 12:19:39 110003 192.168.3.144 46341 8.8.8.8 0 Routing failed to locate next hop for ICMP from DMZ:192.168.3.144/46341 to inside:8.8.8.8/0

 

Obviously, 8.8.8.8 is not on our inside network, and we experienced no issues before the upgrade to 9.1.7.20. Below are the relevant nat rules, and we are allowing icmp/echo,echo-reply,information-reply, and information-request in/out of the DMZ, in/out of OUTSIDE, and into INSIDE.

 

object network nat-Columbia-Ironport-DMZ
host 192.168.3.144

 

object network nat-Columbia-Ironport-DMZ
nat (DMZ,outside) static 74.4.20.144

Labels:
0 Helpful
1 Reply 1

David Harrell
Level 1
Level 1

‎02-01-2018 12:48 PM

Ended up downgrading back to 9.04 and restoring a pre-upgrade config. Issue appeared resolved, but has since returned.

 

The only traffic affected is the DMZ.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card