Re: No route to Host

m-raft · ‎09-09-2004

I have a VPN Concentrator sitting outside my network with a vpnpool of 10.53.2.129-254 set aside for remote VPN clients. The concentrator connects to a DMZ port on a PIX with a security level of 60. When I try to ping an address on another interface of the PIX with a Security level of 90, I get a syslog message saying "no route to 10.53.2.129 from 172.16.24.3". I have a route for 10.53.2.128 255.255.255.128 on the pix routing the traffic to the VPN concentrator IP of 10.53.2.3. If I do a debug ICMP trace I see the echo request come in and the echo reply from the 172 host. If I debug the 172 interface I see the echo and echo-reply. When I debug the concentrator interface I see the echo but no echo reply. On other thing is both the concentrator interface and the 172 interface are vlan interfaces on the same physical interface.

Has anyone else seen this or no what I need to do get this working.

Thanks

scoclayton · ‎09-09-2004

The "no route to host " syslog message is mis-leading. In most cases, you will see this message when the PIX routes the packets to an interface that does not have a route to that particular subnet. Can you post your PIX config for review and I will point out the problem to you?

Thanks,

Scott

m-raft · ‎09-10-2004

The config is attached. To restate: we are getting an IP address of 10.53.2.129 from the concentrator for our remote client. The client then tries to ping 172.16.192.67 and we don't get a reply. Doing the degug icmp trace we see both the echo and echo-reply. Debugging the xtranet interface we see both the echo and echo-reply. Debugging the vpnconcentrator interface we see the echo but no echo-reply. From the pix we can ping both the 10.53.2.129 host and the 172.16.192.67 host.

Thanks in advance....

m-raft · ‎09-10-2004

Must have been a bug in 6.31, we downloaded 6.33 this morning and everything works as advertised.

Thanks for the response