Routing failed to locate next hop for UDP from NP Identity

I am setting up remote access vpn to ASA and get the following error: Routing failed to locate next hop for UDP from NP Identity Ifc: to remote-access:

Here is the config:

hostname azt-bridge-asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
 nameif azt-inside
 security-level 100
 no ip address
interface GigabitEthernet0/0.32
 vlan 32
 nameif azt_data
 security-level 100
 ip address
interface GigabitEthernet0/0.129
 vlan 129
 nameif azt_voice
 security-level 100
 ip address
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/2
 nameif remote-access
 security-level 100
 ip address
interface GigabitEthernet0/3
 nameif baku-outside
 security-level 0
 ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list 110 extended permit ip
access-list 110 extended permit ip
access-list nonat extended permit ip
access-list nonat extended permit ip
access-list test extended permit ip any any
pager lines 24
logging monitor debugging
logging asdm informational
mtu azt-inside 1434
mtu azt_data 1434
mtu azt_voice 1434
mtu baku-outside 1434
mtu management 1434
mtu remote-access 1500
ip local pool raccess mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (remote-access) 0 access-list nonat
access-group test in interface remote-access
router eigrp 2009
 no auto-summary
 neighbor interface baku-outside
 redistribute static
route azt_data 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn 1 set transform-set vpnclienttrans raccess
crypto map bakumap 10 set security-association lifetime seconds 28800
crypto map bakumap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address 110
crypto map mymap 20 set peer
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap interface baku-outside
crypto map vpnclientmap 10 ipsec-isakmp dynamic dyn
crypto map vpnclientmap interface remote-access
crypto isakmp identity hostname
crypto isakmp enable baku-outside
crypto isakmp enable remote-access
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh azt_data
ssh timeout 30
console timeout 0
dhcpd address management
dhcpd enable management
priority-queue baku-outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn internal
group-policy vpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec
 pfs disable
username admin password fOxbBT5HEEz5OxJT encrypted
username user password fLERg0YSl2ueJmtn encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool raccess
 default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp

I am connecting from the inside of my network from subnet to interface
LVL 18
Who is Participating?
fgasimzadeConnect With a Mentor Author Commented:
Nothing wrong with that, just wanted a separate interface for remote access. I changed our topology, this issue is no longer relevant. Thank you!
Jody LemoineNetwork ArchitectCommented:
Your problem description seems to indicate that you want this traffic to go across your VPN.  Your source isn't covered by any of your VPN ACLs, so it's going to fall to normal routing.  The error you've indicated will come up if there isn't a route for the destination IP address in the routing table.
fgasimzadeAuthor Commented:
When I establish a vpn connection from a Cisco VPN client from subnet to this error comes up. It has nothing to do with Lan-to-Lan IPSec VPN configured on Gig ethernet 0/3
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Jody LemoineNetwork ArchitectCommented:
Ah, okay... that makes more sense.  What does the routing table currently look like?
fgasimzadeAuthor Commented:
It has as connected and as connected as well.
Jody LemoineNetwork ArchitectCommented:
Try adding the following to see if it helps:

access-list nonat extended permit ip
fgasimzadeAuthor Commented:
Will be able to do it only tomorrow. Doesnt seem to help, but thank you anyway. Any other suggestions?
I notice both interfaces have security level 100, but I see no same-security-traffic commands.

But before I suggest trying that, why do you have so many sec 100 interfaces? :)
Well, guess I'm just blind.  Still, why do you have so many sec 100 interfaces?
fgasimzadeAuthor Commented:
Only two operational interfaces with security-level 100, is it that so many? :) I tried to change security level on remote access interafce to something other than 100, no results..
Hm, are you trying to connect to an interface that is not the one closest to you?  I really don't think that is possible.  You generally can't even ping such interfaces.

Only exception I am aware of is management-access interfaces, AFTER establishing a VPN to another interface.
fgasimzadeAuthor Commented:
Well, I thought about it, I know I cant ping it, but the things is ASA starts responding to ISAKMP requests and then, at some point, it refuses to negotiate with that "Routing" error and my VPN client terminates connection with a "remote gateway stopped responding" error.
I'm pretty sure it isn't possible.  But what's wrong with terminating it on the addy?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.