Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16785
Views
5
Helpful
10
Replies

Require solution for Drop-reason: (no-route) No route to host in ASA

Go to solution
Chandhuru sekaran marimuthu
Level 1
Level 1

‎09-17-2016 05:05 AM - edited ‎03-12-2019 01:17 AM

Hi All,

I am getting below error while run Packet tracer in ASA. Could anyone please help me to find out the route cause. Details are follows:

Source - 10.126.58.75
Destination - 23.197.16.45

Cisco-ASA# packet-tracer input Test tcp 10.126.58.75 123 23.197.16.45 443 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffb9aa3f260, priority=1, domain=permit, deny=false
hits=576089876, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Test, output_ifc=any

Result:
input-interface: Test
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Thanks in advance.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chandhuru sekaran marimuthu

‎09-18-2016 07:47 AM

Ok, that helps.

So the source packet is from 10.126.58.75. The source specified in your packet-tracer should actually be "Test-CHDMgmt" as the /23 subnet there would include that source address.

Your destination is 23.197.16.45. Think about how the ASA would know what interface to send that packet out on.

1. Is there a connected interface in that network? No

2. Is there a static route for that destination network? No.

3. Is there a dynamic routing process (OSPF, EIGRP etc.) whereby the ASA learns the route to that network? No.

Thus you get "No route to host". If you want the packet to exit your "Inside" interface then you need to add a route manually given your current setup. You can use a default route or something more specific.

It looks like your gateway for the inside network is 10.0.2.3. If that's the case, then the most specific (/32) route statement would be:

route Inside 23.197.16.45 255.255.255.255 10.0.2.3

View solution in original post

10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-17-2016 07:49 AM

Have you set a default route? that would be the most common reason for that message.

You need something like:

route outside 0.0.0.0 0.0.0.0 <gateway address>

(assuming your default gateway is upstream from the outside interface)

0 Helpful

Go to solution
Chandhuru sekaran marimuthu
Level 1
Level 1
In response to Marvin Rhoads

‎09-17-2016 08:55 AM

Hi Marvin,

We didn't set any default route.

Is there any way for static route if so could you please advise us to set static route for this issue.

Nameif details:

Test - 10.126.58.75
Inside - 23.197.16.45

Please help us to resolve this issue.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chandhuru sekaran marimuthu

‎09-17-2016 09:01 AM

Your test is invalid.

You cannot send a packet from the ASA's self IP address to another one on the same appliance.

Instead try a packet tracer with addresses of hosts that would be connected to those respective interfaces.

Like this:

packet-tracer input Test tcp 10.126.58.76 123 23.197.16.46 443 detailed

0 Helpful

Go to solution
Chandhuru sekaran marimuthu
Level 1
Level 1
In response to Marvin Rhoads

‎09-17-2016 09:18 AM

Sorry for confusion.

23.197.16.45 is outside our network IP address. It is not self IP address of ASA appliance. 

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chandhuru sekaran marimuthu

‎09-17-2016 11:23 AM

If you want us to assist, we need a few more details.

Please share output of the following:

show ip address
show route
0 Helpful

Go to solution
Chandhuru sekaran marimuthu
Level 1
Level 1
In response to Marvin Rhoads

‎09-18-2016 06:31 AM

Hi Marvin,

Please find the details below:

Cisco-ASA-5585# sh ip address

Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel3.30 Inside 10.0.3.11 255.255.254.0 manual
Port-channel3.460 Test-WANin 10.126.47.1 255.255.254.0 manual
Port-channel3.520 Test-Mgmt 10.126.53.1 255.255.254.0 manual
Port-channel3.540 Test-CHDApps 10.126.55.1 255.255.254.0 manual
Port-channel3.560 Test-CHDMgmt 10.126.57.1 255.255.254.0 manual
Port-channel3.580 Test-Apps 10.126.59.1 255.255.254.0 manual
Port-channel3.600 Test-Token 10.126.61.1 255.255.254.0 manual
Port-channel3.1140 Test-DMZ 10.126.115.11 255.255.254.0 manual

Cisco-ASA-5585# sh run route
route Inside 10.0.16.0 255.255.252.0 10.0.2.3 1
route Inside 10.0.20.0 255.255.252.0 10.0.2.3 1
route Inside 10.1.5.0 255.255.255.0 10.0.2.3 1
route Inside 64.57.154.38 255.255.255.255 10.0.2.3 1
route Inside 67.18.10.156 255.255.255.255 10.0.2.3 1
route Inside 67.18.10.160 255.255.255.255 10.0.2.3 1
route Test-DMZ 216.189.224.0 255.255.255.0 10.126.114.3 1
route Test-DMZ 216.189.226.0 255.255.255.0 10.126.114.3 1
route Test-DMZ 216.189.227.0 255.255.255.0 10.126.114.3 1
route Test-DMZ 216.189.239.0 255.255.255.0 10.126.114.3 1

Cisco-ASA-5585#sh route

C 10.0.2.0 255.255.254.0 is directly connected, Inside
L 10.0.3.11 255.255.255.255 is directly connected, Inside
S 10.0.16.0 255.255.252.0 [1/0] via 10.0.2.3, Inside
S 10.0.20.0 255.255.252.0 [1/0] via 10.0.2.3, Inside
S 10.1.5.0 255.255.255.0 [1/0] via 10.0.2.3, Inside
S 10.1.6.2 255.255.255.255 [1/0] via 10.0.2.3, Inside
S 10.1.7.4 255.255.255.255 [1/0] via 10.0.2.3, Inside
S 10.1.8.0 255.255.255.0 [1/0] via 10.0.2.3, Inside

Lots of route are there but there is no default route. Please suggest.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chandhuru sekaran marimuthu

‎09-18-2016 07:47 AM

Ok, that helps.

So the source packet is from 10.126.58.75. The source specified in your packet-tracer should actually be "Test-CHDMgmt" as the /23 subnet there would include that source address.

Your destination is 23.197.16.45. Think about how the ASA would know what interface to send that packet out on.

1. Is there a connected interface in that network? No

2. Is there a static route for that destination network? No.

3. Is there a dynamic routing process (OSPF, EIGRP etc.) whereby the ASA learns the route to that network? No.

Thus you get "No route to host". If you want the packet to exit your "Inside" interface then you need to add a route manually given your current setup. You can use a default route or something more specific.

It looks like your gateway for the inside network is 10.0.2.3. If that's the case, then the most specific (/32) route statement would be:

route Inside 23.197.16.45 255.255.255.255 10.0.2.3

Go to solution
Chandhuru sekaran marimuthu
Level 1
Level 1
In response to Marvin Rhoads

‎09-18-2016 08:35 AM

Thanks Marvin.

Yes, Destination IP address is taking "Inside" interface to pass on.

One more quick question:

route Inside(nameif) 23.197.16.45 255.255.255.255 10.0.2.3

Nameif - Here it meant destination route interface right?

Really thanks for your prompt response. 

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chandhuru sekaran marimuthu

‎09-18-2016 08:47 AM

Chadhuru,

Yes, the parameter after the command "route" is the name of the interface to be used for that routing statement. We do not use the "nameif" keyword in the route command but instead put the interface name in without further qualification.

Please see the command reference for the following:

route

To enter a static or default route for the specified interface, use the route command in global configuration mode. To remove routes from the specified interface, use the no form of this command.


route interface_name ip_address netmask gateway_ip [[ metric ] [ track number ] | tunneled ]

no route interface_name ip_address netmask gateway_ip [[ metric ] [ track number ] | tunneled ]

 

Syntax Description

gateway_ip

Specifies the IP address of the gateway router (the next-hop address for this route).

Note The gateway_ip argument is optional in transparent mode.

interface_name

Specifies the internal or external network interface name through which the traffic is routed.

ip_address

Specifies the internal or external network IP address.

metric

(Optional) Specifies the administrative distance for this route. Valid values range from 1 to 255. The default value is 1.

netmask

Specifies a network mask to apply to ip_address.

track number

(Optional) Associates a tracking entry with this route. Valid values are from 1 to 500.

Note The track option is only available in single, routed mode.

tunneled

Specifies the route as the default tunnel gateway for VPN traffic.

 

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/r2.html#pgfId-1840612

0 Helpful

Go to solution
Chandhuru sekaran marimuthu
Level 1
Level 1
In response to Marvin Rhoads

‎09-18-2016 08:49 AM

Thanks a lot Marvin.

I will check and get back to you at the earliest.

Thanks for your support.

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card