09-30-2008 09:23 AM
Have an ASA, running 8.04, with a L2L VPN tunnel built. The ASA has two interfaces with there subnets supposed to enter the tunnel if destined to 192.168.0.0 /24
interface 1 - 192.168.3.0 /24
Interface 2 - 10.12.37.0 /24
Hosts from interface one can successfully reach devices on the subnet 192.168.0.x as expected.
However hosts on interface 2 cannot. In troubleshooting I can see the icmp replies coming back into the ASA but then my ASA reports this error and drops the replies:
Routing failed to locate next-hop for ICMP from OUTSIDE:192.168.0.252/0 to INSIDE:10.12.37.252/512
The syslog message is code 110003, which is defined as:
Recommended Action Copy the error message, the configuration, and any details about the events
leading up to the error, and contact Cisco TAC. During debugging, use the show asp table routing
command to view the routing table details.
The ASP routing table appears fine. The only difference between the two interfaces beside the physical is the security level, but the same sec command is present.
Any ideas?
09-30-2008 09:36 AM
Tom,
Based upon the description and log message, it looks like the ASA is trying to route the packets to the wrong interface.
Meaning, if 10.12.37.0/24 is located on Interface 2 (Ex DMZ), why is the ASA trying to send the packets to the INSIDE Interface.
I have seen this issue in the past if there is misconfiguration with the NAT 0 commands. For example, when you have nat (dmz) 0 0.0.0.0 0.0.0.0
If you have the above configuration, can you configure more specific NAT 0 command and do the testing.
Regards,
Arul
** Please rate all helpful posts **
09-30-2008 09:51 AM
Thank you Arul, here is what I have:
global (OUTSIDE) 1 interface
nat (STATE) 0 access-list NONAT
nat (STATE) 1 10.12.37.0 255.255.255.0
nat (INSIDE) 0 access-list NONAT
nat (INSIDE) 1 192.168.3.0 255.255.255.0
access-list NONAT extended permit ip 10.12.37.0 255.255.255.0 object-group PRIONE-SUBNETS
access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 object-group PRIONE-SUBNETS
object-group network PRIONE-SUBNETS
network-object 192.168.0.0 255.255.255.0
09-30-2008 09:59 AM
Is there anyway you can separate the NONAT Commands. Meaning, like this
nat (STATE) 0 access-list NONATSTATE
nat (INSIDE) 0 access-list NONATINSIDE
access-list NONATSTATE extended permit ip 10.12.37.0 255.255.255.0 object-group PRIONE-SUBNETS
access-list NONATINSIDE extended permit ip 192.168.3.0 255.255.255.0 object-group PRIONE-SUBNET
Regards,
Arul
** Please rate all helpful posts **
09-30-2008 10:09 AM
Made the change, cleared the xlates, no change, still failing with same error message
09-30-2008 11:10 AM
Very Interesting. For some reason, it looks like the ASA is still trying to route through the wrong interface. Can you post the configuration of the ASA.
If not, post the below configuration and outputs
Inside Interface Configuration
DMZ Interface Configuration
Routing Table - Show route
NAT Commands - After you made the changes
Static NAT
Log Message
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide