Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
1
Replies

Routing failed to locate next hop

shawnsimon
Level 1
Level 1

‎03-05-2019 08:29 AM

I'm attempting to connect 2 ASAv together in an AWS sandbox.  They are in 2 different subnets connecting through a L2L tunnel.  I've read through many of the posts on this site and attempted some of the fixes, but I can't figure out why I cannot create a tunnel.  I would appreciate any help, thanks.

 

ASAv #1: 52.2.214.98

ASAv #2: 50.17.169.41

 

The logs indicate that the route failed and cannot create a tunnel.

Routing failed to locate next hop for UDP from identity:52.2.214.98/500 to outside:50.17.169.41/500

IKEv protocol was unsuccessful at setting up a tunnel.

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.

 

The trace indicates and acl-drop.

(acl-drop) Flow is denied by configured rule

 

When I run these commands on  the ASAv #1 I get output.

debug crypto condition peer 50.17.169.41

debug crypto isakmp 127

debug crypto ipsec 127

 

Mar 05 16:18:31 [IKEv1]IP = 50.17.169.41, IKE Initiator: New P hase 1, Intf inside, IKE Peer 50.17.169.41 local Proxy Address 10.0.200.0, remo te Proxy Address 10.0.100.0, Crypto map (outside_map)
Mar 05 16:18:31 [IKEv1 DEBUG]IP = 50.17.169.41, constructing ISAKMP SA payload
Mar 05 16:18:31 [IKEv1 DEBUG]IP = 50.17.169.41, constructing NAT-Traversal VID ver 02 payload
Mar 05 16:18:31 [IKEv1 DEBUG]IP = 50.17.169.41, constructing NAT-Traversal VID ver 03 payload
Mar 05 16:18:31 [IKEv1 DEBUG]IP = 50.17.169.41, constructing NAT-Traversal VID ver RFC payload
Mar 05 16:18:31 [IKEv1 DEBUG]IP = 50.17.169.41, constructing Fragmentation VID +extended capabilities payload
Mar 05 16:18:31 [IKEv1]IP = 50.17.169.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR13) + NONE (0) total length : 324
Mar 05 16:18:39 [IKEv1]IP = 50.17.169.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Mar 05 16:18:47 [IKEv1]IP = 50.17.169.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Mar 05 16:18:55 [IKEv1]IP = 50.17.169.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Mar 05 16:19:03 [IKEv1 DEBUG]IP = 50.17.169.41, IKE MM Initiator FSM error history (struct &0x00007fc8cff51430) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Mar 05 16:19:03 [IKEv1 DEBUG]IP = 50.17.169.41, IKE SA MM:850328a4 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Mar 05 16:19:03 [IKEv1 DEBUG]IP = 50.17.169.41, sending delete/delete with reason message

 

 

 

Here is the running config of the ASAv #1 (52.2.214.98) that is initiating the tunnel.  

 

: Saved

:
: Serial Number: 9A0J1RVVG4F
: Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (2 cores)
:
ASA Version 9.10(1)11
!
hostname customer
domain-name customer.com
enable password ***** pbkdf2
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.200.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 52.2.214.98 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address dhcp setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name customer.com
object network inside-subnet
subnet 10.0.200.0 255.255.255.0
object network outside-subnet
subnet 10.0.100.0 255.255.255.0
object network local-outside
host 52.2.214.98
object network shareable-outside
host 50.17.169.41
access-list outside_cryptomap extended permit ip object inside-subnet object outside-subnet
access-list inside_access_in extended permit ip any any
pager lines 23
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static inside-subnet inside-subnet destination static outside-subnet outside-subnet no-proxy-arp route-lookup
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http <<office IP>>255.255.255.255 management

no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 50.17.169.41
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
<<long cert>>
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 30
ssh version 1 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_50.17.169.41 internal
group-policy GroupPolicy_50.17.169.41 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 50.17.169.41 type ipsec-l2l
tunnel-group 50.17.169.41 general-attributes
default-group-policy GroupPolicy_50.17.169.41
tunnel-group 50.17.169.41 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎03-05-2019 09:22 AM

Hi,
You have no default route defined, how are they routing between each other?
The outside interfaces are in different networks so will need a route.

HTH
0 Helpful
Customers Also Viewed These Support Documents