site to site VPN fails to locate next hop

pcromwell · ‎05-28-2017

We have a ASA5510 running 9.1(3). I have setup an Site to site VPN and that establishes okay. However I cannot get traffic to successfully route.

I go onto a device behind HQ firewall and ping a far end device at branch. but it fails. From the ASA log (shown below) I see the reply come back from the branch device, but the ASA reports it cannot find the next hop. I have sub interfaces on the Inside interface. My interesting traffic for VPN

is 80 and 86 networks, which have sub interfaces on ASA. but interestingly the log message says traffic is from WAN to LAN_int10 which is a different subnet .33 so not sure what subnet 33 has got to do with it. can anyone advise

LAN_int10 is 192.168.33.0 in the below log output

6

May 26 2017

19:03:37

110003

192.168.86.8

0

192.168.80.50

768

Routing failed to locate next hop for ICMP from WAN:192.168.86.8/0 to LAN_int10:192.168.80.50/768

Marvin Rhoads · ‎05-28-2017

Are the subinterfaces up on the ASA?

What does the ASA tell you when you "show route" for one of the subinterfaces?

pcromwell · ‎05-29-2017

Hi Marvin, thanks for the reply. All the interfaces are up and the "show route" is the same for all interfaces, they show as being directly connected and have the same default gateway that is set to go out WAN interface

Richard Bradfield · ‎05-29-2017

can you share the relevant configuration, Interesting traffic ACLs, Interface config and routing config