[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7689
  • Last Modified:

Routing failed to locate next hop for UDP from NP Identity

I am setting up remote access vpn to ASA and get the following error: Routing failed to locate next hop for UDP from NP Identity Ifc:192.168.20.1/62465 to remote-access:192.168.32.118/47112

Here is the config:

hostname azt-bridge-asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif azt-inside
 security-level 100
 no ip address
!
interface GigabitEthernet0/0.32
 vlan 32
 nameif azt_data
 security-level 100
 ip address 192.168.32.9 255.255.255.0
!
interface GigabitEthernet0/0.129
 shutdown
 vlan 129
 nameif azt_voice
 security-level 100
 ip address 192.168.128.9 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif remote-access
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/3
 nameif baku-outside
 security-level 0
 ip address 10.253.17.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!            
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list 110 extended permit ip 192.168.128.0 255.255.255.0 192.168.140.0 255.255.255.0
access-list 110 extended permit ip 192.168.32.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list nonat extended permit ip 192.168.21.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list nonat extended permit ip 192.168.21.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list test extended permit ip any any
pager lines 24
logging monitor debugging
logging asdm informational
mtu azt-inside 1434
mtu azt_data 1434
mtu azt_voice 1434
mtu baku-outside 1434
mtu management 1434
mtu remote-access 1500
ip local pool raccess 192.168.21.0-192.168.21.120 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (remote-access) 0 access-list nonat
access-group test in interface remote-access
!
router eigrp 2009
 no auto-summary
 neighbor 10.253.17.2 interface baku-outside
 network 10.253.17.0 255.255.255.0
 network 192.168.32.0 255.255.255.0
 network 192.168.128.0 255.255.255.0
 redistribute static
!
route azt_data 192.168.128.0 255.255.255.0 192.168.32.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn 1 set transform-set vpnclienttrans raccess
crypto map bakumap 10 set security-association lifetime seconds 28800
crypto map bakumap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 10.253.17.2
crypto map mymap 20 set transform-set myset
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000
crypto map mymap interface baku-outside
crypto map vpnclientmap 10 ipsec-isakmp dynamic dyn
crypto map vpnclientmap interface remote-access
crypto isakmp identity hostname
crypto isakmp enable baku-outside
crypto isakmp enable remote-access
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 azt_data
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
priority-queue baku-outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
 dns-server value 192.168.32.2
 vpn-tunnel-protocol IPSec l2tp-ipsec
 pfs disable
username admin password fOxbBT5HEEz5OxJT encrypted
username user password fLERg0YSl2ueJmtn encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool raccess
 default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 10.253.17.2 type ipsec-l2l
tunnel-group 10.253.17.2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp

I am connecting from the inside of my network from 192.168.32.0 subnet to interface 192.168.20.1.
0
fgasimzade
Asked:
fgasimzade
  • 6
  • 4
  • 3
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
Your problem description seems to indicate that you want this traffic to go across your VPN.  Your 192.168.20.1 source isn't covered by any of your VPN ACLs, so it's going to fall to normal routing.  The error you've indicated will come up if there isn't a route for the destination IP address in the routing table.
0
 
fgasimzadeAuthor Commented:
When I establish a vpn connection from a Cisco VPN client from 192.168.32.0 subnet to 192.168.20.1 this error comes up. It has nothing to do with Lan-to-Lan IPSec VPN configured on Gig ethernet 0/3
0
 
Jody LemoineNetwork ArchitectCommented:
Ah, okay... that makes more sense.  What does the routing table currently look like?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
fgasimzadeAuthor Commented:
It has 192.168.32.0 as connected and 192.168.20.0 as connected as well.
0
 
Jody LemoineNetwork ArchitectCommented:
Try adding the following to see if it helps:

access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0
0
 
fgasimzadeAuthor Commented:
Will be able to do it only tomorrow. Doesnt seem to help, but thank you anyway. Any other suggestions?
0
 
Voltz-dkCommented:
I notice both interfaces have security level 100, but I see no same-security-traffic commands.

But before I suggest trying that, why do you have so many sec 100 interfaces? :)
0
 
Voltz-dkCommented:
Well, guess I'm just blind.  Still, why do you have so many sec 100 interfaces?
0
 
fgasimzadeAuthor Commented:
Only two operational interfaces with security-level 100, is it that so many? :) I tried to change security level on remote access interafce to something other than 100, no results..
0
 
Voltz-dkCommented:
Hm, are you trying to connect to an interface that is not the one closest to you?  I really don't think that is possible.  You generally can't even ping such interfaces.

Only exception I am aware of is management-access interfaces, AFTER establishing a VPN to another interface.
0
 
fgasimzadeAuthor Commented:
Well, I thought about it, I know I cant ping it, but the things is ASA starts responding to ISAKMP requests and then, at some point, it refuses to negotiate with that "Routing" error and my VPN client terminates connection with a "remote gateway stopped responding" error.
0
 
Voltz-dkCommented:
I'm pretty sure it isn't possible.  But what's wrong with terminating it on the 192.168.32.9 addy?
0
 
fgasimzadeAuthor Commented:
Nothing wrong with that, just wanted a separate interface for remote access. I changed our topology, this issue is no longer relevant. Thank you!
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now