Solved: Require solution for Drop-reason: (no-route) No route to host in ASA

Chandhuru sekaran marimuthu · ‎09-17-2016

Hi All,

I am getting below error while run Packet tracer in ASA. Could anyone please help me to find out the route cause. Details are follows:

Source - 10.126.58.75
Destination - 23.197.16.45

Cisco-ASA# packet-tracer input Test tcp 10.126.58.75 123 23.197.16.45 443 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffb9aa3f260, priority=1, domain=permit, deny=false
hits=576089876, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Test, output_ifc=any

Result:
input-interface: Test
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Thanks in advance.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Marvin Rhoads · ‎09-18-2016

Ok, that helps.

So the source packet is from 10.126.58.75. The source specified in your packet-tracer should actually be "Test-CHDMgmt" as the /23 subnet there would include that source address.

Your destination is 23.197.16.45. Think about how the ASA would know what interface to send that packet out on.

1. Is there a connected interface in that network? No

2. Is there a static route for that destination network? No.

3. Is there a dynamic routing process (OSPF, EIGRP etc.) whereby the ASA learns the route to that network? No.

Thus you get "No route to host". If you want the packet to exit your "Inside" interface then you need to add a route manually given your current setup. You can use a default route or something more specific.

It looks like your gateway for the inside network is 10.0.2.3. If that's the case, then the most specific (/32) route statement would be:

route Inside 23.197.16.45 255.255.255.255 10.0.2.3

View solution in original post

Marvin Rhoads · ‎09-17-2016

Have you set a default route? that would be the most common reason for that message.

You need something like:

route outside 0.0.0.0 0.0.0.0 <gateway address>

(assuming your default gateway is upstream from the outside interface)

Chandhuru sekaran marimuthu · ‎09-17-2016

Hi Marvin,

We didn't set any default route.

Is there any way for static route if so could you please advise us to set static route for this issue.

Nameif details:

Test - 10.126.58.75
Inside - 23.197.16.45

Please help us to resolve this issue.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Marvin Rhoads · ‎09-17-2016

Your test is invalid.

You cannot send a packet from the ASA's self IP address to another one on the same appliance.

Instead try a packet tracer with addresses of hosts that would be connected to those respective interfaces.

Like this:

packet-tracer input Test tcp 10.126.58.76 123 23.197.16.46 443 detailed

Chandhuru sekaran marimuthu · ‎09-17-2016

Sorry for confusion.

23.197.16.45 is outside our network IP address. It is not self IP address of ASA appliance.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Marvin Rhoads · ‎09-17-2016

If you want us to assist, we need a few more details.

Please share output of the following:

show ip address
show route

Chandhuru sekaran marimuthu · ‎09-18-2016

Hi Marvin,

Please find the details below:

Cisco-ASA-5585# sh ip address

Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel3.30 Inside 10.0.3.11 255.255.254.0 manual
Port-channel3.460 Test-WANin 10.126.47.1 255.255.254.0 manual
Port-channel3.520 Test-Mgmt 10.126.53.1 255.255.254.0 manual
Port-channel3.540 Test-CHDApps 10.126.55.1 255.255.254.0 manual
Port-channel3.560 Test-CHDMgmt 10.126.57.1 255.255.254.0 manual
Port-channel3.580 Test-Apps 10.126.59.1 255.255.254.0 manual
Port-channel3.600 Test-Token 10.126.61.1 255.255.254.0 manual
Port-channel3.1140 Test-DMZ 10.126.115.11 255.255.254.0 manual

Cisco-ASA-5585# sh run route
route Inside 10.0.16.0 255.255.252.0 10.0.2.3 1
route Inside 10.0.20.0 255.255.252.0 10.0.2.3 1
route Inside 10.1.5.0 255.255.255.0 10.0.2.3 1
route Inside 64.57.154.38 255.255.255.255 10.0.2.3 1
route Inside 67.18.10.156 255.255.255.255 10.0.2.3 1
route Inside 67.18.10.160 255.255.255.255 10.0.2.3 1
route Test-DMZ 216.189.224.0 255.255.255.0 10.126.114.3 1
route Test-DMZ 216.189.226.0 255.255.255.0 10.126.114.3 1
route Test-DMZ 216.189.227.0 255.255.255.0 10.126.114.3 1
route Test-DMZ 216.189.239.0 255.255.255.0 10.126.114.3 1

Cisco-ASA-5585#sh route

C 10.0.2.0 255.255.254.0 is directly connected, Inside
L 10.0.3.11 255.255.255.255 is directly connected, Inside
S 10.0.16.0 255.255.252.0 [1/0] via 10.0.2.3, Inside
S 10.0.20.0 255.255.252.0 [1/0] via 10.0.2.3, Inside
S 10.1.5.0 255.255.255.0 [1/0] via 10.0.2.3, Inside
S 10.1.6.2 255.255.255.255 [1/0] via 10.0.2.3, Inside
S 10.1.7.4 255.255.255.255 [1/0] via 10.0.2.3, Inside
S 10.1.8.0 255.255.255.0 [1/0] via 10.0.2.3, Inside

Lots of route are there but there is no default route. Please suggest.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Marvin Rhoads · ‎09-18-2016

Ok, that helps.

So the source packet is from 10.126.58.75. The source specified in your packet-tracer should actually be "Test-CHDMgmt" as the /23 subnet there would include that source address.

Your destination is 23.197.16.45. Think about how the ASA would know what interface to send that packet out on.

1. Is there a connected interface in that network? No

2. Is there a static route for that destination network? No.

3. Is there a dynamic routing process (OSPF, EIGRP etc.) whereby the ASA learns the route to that network? No.

Thus you get "No route to host". If you want the packet to exit your "Inside" interface then you need to add a route manually given your current setup. You can use a default route or something more specific.

It looks like your gateway for the inside network is 10.0.2.3. If that's the case, then the most specific (/32) route statement would be:

route Inside 23.197.16.45 255.255.255.255 10.0.2.3

Chandhuru sekaran marimuthu · ‎09-18-2016

Thanks Marvin.

Yes, Destination IP address is taking "Inside" interface to pass on.

One more quick question:

route Inside(nameif) 23.197.16.45 255.255.255.255 10.0.2.3

Nameif - Here it meant destination route interface right?

Really thanks for your prompt response.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Marvin Rhoads · ‎09-18-2016

Chadhuru,

Yes, the parameter after the command "route" is the name of the interface to be used for that routing statement. We do not use the "nameif" keyword in the route command but instead put the interface name in without further qualification.

Please see the command reference for the following:

route

To enter a static or default route for the specified interface, use the route command in global configuration mode. To remove routes from the specified interface, use the no form of this command.


route interface_name ip_address netmask gateway_ip [[ metric ] [ track number ] | tunneled ]

no route interface_name ip_address netmask gateway_ip [[ metric ] [ track number ] | tunneled ]

Syntax Description

gateway_ip	Specifies the IP address of the gateway router (the next-hop address for this route). Note The gateway_ip argument is optional in transparent mode.
interface_name	Specifies the internal or external network interface name through which the traffic is routed.
ip_address	Specifies the internal or external network IP address.
metric	(Optional) Specifies the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.
netmask	Specifies a network mask to apply to ip_address.
track number	(Optional) Associates a tracking entry with this route. Valid values are from 1 to 500. Note The track option is only available in single, routed mode.
tunneled	Specifies the route as the default tunnel gateway for VPN traffic.

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/r2.html#pgfId-1840612

Chandhuru sekaran marimuthu · ‎09-18-2016

Thanks a lot Marvin.

I will check and get back to you at the earliest.

Thanks for your support.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M