Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17350
Views
5
Helpful
5
Replies

%ASA-6-110003: Routing failed to locate next hop for TCP from Outside:<ip_address>/2606 to inside:<ip_address>/22

network770
Level 1
Level 1

‎04-21-2011 04:37 PM

Does anyone knows what this means, it appears to be a bug of some sort, looking at the Cisco site, they recommend to open a TAC case

%ASA-6-110003: Routing failed to locate next hop for TCP from Outside:<ip_address>/2606 to inside:<ip_address>/22

This is the error message we get when users from a remote site are trying to access an ip address over IPSEC.

Labels:
0 Helpful
5 Replies 5

Asim Malik
Level 1
Level 1

‎04-21-2011 04:49 PM

Hi Ronni,

Most likely its not a bug. Make sure your routing and natting is correct. Maybe try clearing the xlate. Please attach the configuration if you cant find anything.

Thanks,
Asim

0 Helpful

network770
Level 1
Level 1
In response to Asim Malik

‎04-21-2011 04:59 PM

Asim

the vpn tunnel is up and running and we can access the vendor's resources through the tunnel, but when they attempt to access one of our resources we get this message.  I tried clearning the xlate and it did not help.

I saw on an earlier thread that the remote site made some routing changes which caused this message to pop up and as soona s they fixed their routing

the issue was resolved.  So i am not convinced the problem is on my end

0 Helpful

Asim Malik
Level 1
Level 1
In response to network770

‎04-22-2011 01:38 PM

Mostly this error indicates problem on the local site not the remote. You can try this commad too


ip verify reverse-path interface (interface name)

Without  configuration and complete log message with ip addresses, it would be hard to find the problem.

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-22-2011 03:53 PM

Hi Ronni,

Could you please verify if i have the following information correct

> It is a L2L tunnel between your ASA and the Vendor

> You are able to access Vendor resources

> Vendor is unable to access ANY of your resources

> The log you have posted is collected on your ASA

This particular log, is generated when the ASA is unable to determine the next hop off the destination interface.

As explained in the log database, check the output of "show asp table routing", and see what routes exist for the ip address in the destination.

Also check the output of "show route" to make sure that the destination ip address is on the inside network.

If you are using a static nat for nat exemption(especially in ver 8.3 & above), and specified the interfaces incorrectly, then you can see this error. The static nat forces the packet to the inside interface, but the ip lies off some other interface, and thus the interface routing table does not have a route to that ip. The  ASA drops the packet and generates this syslog.

Hope this helps.

-Shrikant

P.S: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

jsteffensen
Level 1
Level 1
In response to Shrikant Sundaresh

‎06-10-2015 01:43 AM

Thank you Shrikant!

"If you are using a static nat for nat exemption(especially in ver 8.3 & above), and specified the interfaces incorrectly, then you can see this error. The static nat forces the packet to the inside interface, but the ip lies off some other interface, and thus the interface routing table does not have a route to that ip. The  ASA drops the packet and generates this syslog."

 

That solved the Problem.

Regards Jarle

0 Helpful
Customers Also Viewed These Support Documents