Routing failed to locate next hop for UDP from NP Identity
I am setting up remote access vpn to ASA and get the following error: Routing failed to locate next hop for UDP from NP Identity Ifc:192.168.20.1/62465 to remote-access:192.168.32.1
Here is the config:
hostname azt-bridge-asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif azt-inside
security-level 100
no ip address
!
interface GigabitEthernet0/0.32
vlan 32
nameif azt_data
security-level 100
ip address 192.168.32.9 255.255.255.0
!
interface GigabitEthernet0/0.129
shutdown
vlan 129
nameif azt_voice
security-level 100
ip address 192.168.128.9 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif remote-access
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif baku-outside
security-level 0
ip address 10.253.17.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list 110 extended permit ip 192.168.128.0 255.255.255.0 192.168.140.0 255.255.255.0
access-list 110 extended permit ip 192.168.32.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list nonat extended permit ip 192.168.21.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list nonat extended permit ip 192.168.21.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list test extended permit ip any any
pager lines 24
logging monitor debugging
logging asdm informational
mtu azt-inside 1434
mtu azt_data 1434
mtu azt_voice 1434
mtu baku-outside 1434
mtu management 1434
mtu remote-access 1500
ip local pool raccess 192.168.21.0-192.168.21.12
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (remote-access) 0 access-list nonat
access-group test in interface remote-access
!
router eigrp 2009
no auto-summary
neighbor 10.253.17.2 interface baku-outside
network 10.253.17.0 255.255.255.0
network 192.168.32.0 255.255.255.0
network 192.168.128.0 255.255.255.0
redistribute static
!
route azt_data 192.168.128.0 255.255.255.0 192.168.32.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn 1 set transform-set vpnclienttrans raccess
crypto map bakumap 10 set security-association lifetime seconds 28800
crypto map bakumap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 10.253.17.2
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap interface baku-outside
crypto map vpnclientmap 10 ipsec-isakmp dynamic dyn
crypto map vpnclientmap interface remote-access
crypto isakmp identity hostname
crypto isakmp enable baku-outside
crypto isakmp enable remote-access
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 azt_data
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
priority-queue baku-outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.32.2
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs disable
username admin password fOxbBT5HEEz5OxJT encrypted
username user password fLERg0YSl2ueJmtn encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 10.253.17.2 type ipsec-l2l
tunnel-group 10.253.17.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
I am connecting from the inside of my network from 192.168.32.0 subnet to interface 192.168.20.1.
Here is the config:
hostname azt-bridge-asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif azt-inside
security-level 100
no ip address
!
interface GigabitEthernet0/0.32
vlan 32
nameif azt_data
security-level 100
ip address 192.168.32.9 255.255.255.0
!
interface GigabitEthernet0/0.129
shutdown
vlan 129
nameif azt_voice
security-level 100
ip address 192.168.128.9 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif remote-access
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif baku-outside
security-level 0
ip address 10.253.17.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list 110 extended permit ip 192.168.128.0 255.255.255.0 192.168.140.0 255.255.255.0
access-list 110 extended permit ip 192.168.32.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list nonat extended permit ip 192.168.21.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list nonat extended permit ip 192.168.21.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list test extended permit ip any any
pager lines 24
logging monitor debugging
logging asdm informational
mtu azt-inside 1434
mtu azt_data 1434
mtu azt_voice 1434
mtu baku-outside 1434
mtu management 1434
mtu remote-access 1500
ip local pool raccess 192.168.21.0-192.168.21.12
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (remote-access) 0 access-list nonat
access-group test in interface remote-access
!
router eigrp 2009
no auto-summary
neighbor 10.253.17.2 interface baku-outside
network 10.253.17.0 255.255.255.0
network 192.168.32.0 255.255.255.0
network 192.168.128.0 255.255.255.0
redistribute static
!
route azt_data 192.168.128.0 255.255.255.0 192.168.32.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn 1 set transform-set vpnclienttrans raccess
crypto map bakumap 10 set security-association lifetime seconds 28800
crypto map bakumap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 10.253.17.2
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap interface baku-outside
crypto map vpnclientmap 10 ipsec-isakmp dynamic dyn
crypto map vpnclientmap interface remote-access
crypto isakmp identity hostname
crypto isakmp enable baku-outside
crypto isakmp enable remote-access
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 azt_data
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
priority-queue baku-outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.32.2
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs disable
username admin password fOxbBT5HEEz5OxJT encrypted
username user password fLERg0YSl2ueJmtn encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 10.253.17.2 type ipsec-l2l
tunnel-group 10.253.17.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
I am connecting from the inside of my network from 192.168.32.0 subnet to interface 192.168.20.1.
Jody Lemoine
Your problem description seems to indicate that you want this traffic to go across your VPN. Your 192.168.20.1 source isn't covered by any of your VPN ACLs, so it's going to fall to normal routing. The error you've indicated will come up if there isn't a route for the destination IP address in the routing table.
ASKER
When I establish a vpn connection from a Cisco VPN client from 192.168.32.0 subnet to 192.168.20.1 this error comes up. It has nothing to do with Lan-to-Lan IPSec VPN configured on Gig ethernet 0/3
Ah, okay... that makes more sense. What does the routing table currently look like?
ASKER
It has 192.168.32.0 as connected and 192.168.20.0 as connected as well.
Try adding the following to see if it helps:
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0
ASKER
Will be able to do it only tomorrow. Doesnt seem to help, but thank you anyway. Any other suggestions?
I notice both interfaces have security level 100, but I see no same-security-traffic commands.
But before I suggest trying that, why do you have so many sec 100 interfaces? :)
But before I suggest trying that, why do you have so many sec 100 interfaces? :)
Well, guess I'm just blind. Still, why do you have so many sec 100 interfaces?
ASKER
Only two operational interfaces with security-level 100, is it that so many? :) I tried to change security level on remote access interafce to something other than 100, no results..
Hm, are you trying to connect to an interface that is not the one closest to you? I really don't think that is possible. You generally can't even ping such interfaces.
Only exception I am aware of is management-access interfaces, AFTER establishing a VPN to another interface.
Only exception I am aware of is management-access interfaces, AFTER establishing a VPN to another interface.
ASKER
Well, I thought about it, I know I cant ping it, but the things is ASA starts responding to ISAKMP requests and then, at some point, it refuses to negotiate with that "Routing" error and my VPN client terminates connection with a "remote gateway stopped responding" error.
I'm pretty sure it isn't possible. But what's wrong with terminating it on the 192.168.32.9 addy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.