ASA route-map getting "Routing failed to locate next hop..." and "No valid adjacency"

Phil L · ‎09-16-2019

We have a ASA5525 9.10 set up with a default route. We tried to add a route-map to split traffic certain traffic by source IP to go out another interface.
We can see the traffic getting NAT'ed properly, but we are getting "Routing failed to locate next hop..." error in syslog. We are getting following as a result when packet tracing:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: out-public
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

Could this be due to the static route? Any ideas as to how to fix?

Any help would be greatly appreciated.

Here is the related configuration:

! pre-existing interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.20.30 255.255.255.0

! pre-existing interface, policy-route is new
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
policy-route route-map public-subnets-route-map

! new interface for public egress
interface GigabitEthernet0/2
nameif out-public
security-level 70
ip address 10.10.30.2 255.255.255.0

! new
object-group network public-nets
network-object 10.10.100.0 255.255.255.0

! new
access-list public-subnets-route-map-list extended permit ip 10.10.100.0 255.255.255.0 any

! new
nat (inside,out-public) 1 source dynamic public-nets interface destination static obj_any obj_any

! pre-existing default route
route outside 0.0.0.0 0.0.0.0 10.10.20.1 1

! new
route-map public-subnets-route-map permit 10
match ip address public-subnets-route-map-list
set ip next-hop 10.10.30.1
set interface out-public

zachrhart@gmail.com · ‎09-16-2019

Hello Phil,

I've recently started using as ASA myself, and while I'm no expert I'd love to help if I can.

This error doesn't look like it has anything to do with your default static route. Based on the error output it looks like your ASA is either missing the route out of your secondary interface or there is some sort of connectivity issue between your ASA and the gateway at 10.10.30.1. Have you verified that you can ping 10.10.31.1 from the ASA? You may also want to ensure you can ping from behind the ASA, I would recommend doing so:

Global Config -> policy-map global_policy -> class inspection_default -> inspect icmp (this will enable pinging through the ASA device)

Can you provide the output of "show route"? Where does it say the output of 10.10.30.0/24 is located? It should detect it as a directly connected network, but if the ASA can't "see" the route your route map will fail.

Let me know if you can ping the secondary gateway and if a route to 10.10.30.0/24 is in the route table.

Don't forget to rate! Thanks!

-Zac

zachrhart@gmail.com · ‎09-16-2019

Phil,

Sorry, Just re-reading your configuration. Did you mean to dynamically map 10.10.100.0 to an overloaded "obj_any" object? I can't see the object in your config, but on second read I'd bet this is your culprit. My personal recommendation (if you're able) would be to change that NAT rule out for "nat (inside,out-public) source dynamic any interface" -- you'll likely want to make this NAT rule more specific, but for troubleshooting this will tell you whether or not you have a NAT issue jamming up your route-map.

Please remember to rate and mark correct if this is helpful!

-Zac