Re: Routing failed to locate next hop

COST89010 · ‎12-27-2010

Hi everybody, last week I had a problem into my network, now is working fine, but I want to know if you can help me to know what was the possible reason for that problem and which of my actions was the one who fixed the problem, and/or if it can pass again.

next is the main configuration of my device:

ASA5550

Cisco Adaptive Security Appliance Software Version 8.2(1)

interface GigabitEthernet1/3

description INSIDE PRO-DB

media-type sfp

nameif inside

security-level 100

ip address 10.7.4.14 255.255.255.240 standby 10.7.4.13

and:

interface GigabitEthernet1/1

description DMZ DATABASE-BACK

media-type sfp

nameif dmz_database_back

security-level 90

ip address 10.7.4.46 255.255.255.240 standby 10.7.4.45

also the next routes:

route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.33 1

route inside 10.4.1.0 255.255.255.0 10.7.4.1 1

route inside 10.4.2.0 255.255.255.0 10.7.4.1 1

route inside 10.4.3.0 255.255.255.0 10.7.4.1 1

The problem was next:

traffic from BACKOFFICE area (10.4.0.0/24) to DATABASE PRODUCTION area is working ok, the communication exists, but when traffic is sending in opposite way from DATABASE PRODUCTION area to BACKOFFICE area the communication doesn´t exist, and sent me the following log:

Dec 27 2010 09:54:44 110003 10.4.2.1 30303 10.4.0.5 0 Routing failed to locate next hop for ICMP from inside:10.4.2.1/30303 to dmz_backoffice:10.4.0.5/0

as I said, now everything is working ok, and the only thing that I did, was to clear arp in all devices, please let me know if you have any comments.

thanks for your help!!

Kureli Sankar · ‎12-27-2010

Route statement and syslog don't match.

interface GigabitEthernet1/1
description DMZ DATABASE-BACK
media-type sfp
nameif dmz_database_back
security-level 90
ip address 10.7.4.46 255.255.255.240 standby 10.7.4.45

route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.33 1

Routing failed to locate next hop for ICMP from inside:10.4.2.1/30303 to dmz_backoffice:10.4.0.5/0

Is there another interface called dmz_backoffice?

-KS

COST89010 · ‎12-27-2010

Hi, thank you so much for your attention,

The answer is yes, there is another interface called dmz_backoffice , this is the information:

interface GigabitEthernet1/2

description DMZ BACKOFFICE

media-type sfp

nameif dmz_backoffice

security-level 70

ip address 10.7.3.126 255.255.255.240 standby 10.7.3.125

!

Please, let me know if you need more information.

Best regards.

Kureli Sankar · ‎12-27-2010

Ok. So where does this network 10.4.0.0/24 live? off of dmz_database_back or dmz_backoffice:

route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.33 1

Routing failed to locate next hop for ICMP from inside:10.4.2.1/30303 to dmz_backoffice:10.4.0.5/0

-KS

COST89010 · ‎12-28-2010

hi, thank you a lot again,

this network lives off of dmz_backoffice

regards!

Kureli Sankar · ‎12-28-2010

If the 10.4.0.0/24 lives off the dmz_backoffice interface then the below route statement is incorrect.

route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.33 1

Pls. change it. This could have definitely caused an issue.

-KS

Jigar Dave · ‎01-03-2011

Hello COST89010,

put below route to point the traffic to dmz_database_back

route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.46 2
route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.45 3
no route dmz_database_back 10.4.0.0 255.255.255.0 10.7.4.33 1

also add this command

no route dmz_backoffice 10.4.0.0 255.255.255.0 10.4.0.5 - this will delete dmz_backoffice entry currently exists in your config.

HTH

Jigar

COST89010 · ‎01-04-2011

Hi jigar Dave and Poonguzhali Sankar, thank you very much for your support, I checked the configuration and I have followed some of your advice about the static routes and let me tell you that everything is working fine so far.

Thank you again for all your support.

Kureli Sankar · ‎01-04-2011

Glad to hear. If you would pls. mark the thread solved that would be great.

-KS

Jigar Dave · ‎01-04-2011

Hello Cost89010,

nice to hear these words from you, my try is always to help someone

have a nice day !!

- Jigar