Cisco Firewall :: ASA5510 Routing Failed To Locate Next Hop
Jun 14, 2012
I have two interfaces connected to two different subnet - interface 0/1 = 10.100.1.0/24 , interface0/2 = 10.100.113.0/24 as they are direct connected to the ASA i assume i dont need to add an static route but when i try to ping from one interface to the other (ping inside 10.100.113.1) i get "Routing failed to locate next hop". [code]
we have a asa that block some ip dresse with this reason ( Drop-reason:(no-adjacency ) No valid adjacency ) and when i check the log i found this message for the same blocked ip adresse when they try to make dmvpn tunnel wyh the hub . Routing failed to locate next hop for UDP from MPLS:10.0.104.53/500 to MPLS:10.5.250.251/500 i inform you that the ip adresse of the hub (10.5.250.251 ) is connected in DMVPN Interface not MPLS ,and tha ASA is configured with na nat-cotrol command .nat is not configured.
having a bit of trouble setting up our 5510. None of us have ever played with a firewall before. We've got most of the basics covered. I was able to get to the outside world to do a software update to the box, but my laptop that sits in the inside can't see the outside. We only have the default access rules in place at the moment. Our old ISA firewall rules don't really translate all that well to this new box.
I have ASA 5510 with 8.3 version and using multi context. I created a new context ABC and tryed to add routes in the context for the ABC networks it would not work. There was an error in the log stating, “failed to locate egress interface”. I changed the metric on the static routes from 1 to 2 and it started working. Is it normal in a multi context?
I have ASA 5505, in routed mode, basic license.I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:
Failed to locate egress interface for TCP from DMZ50: 184.108.40.206/49213 to 220.127.116.11/80
I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ. Here is sample of my config file: interface Vlan1 nameif inside security-level 100 ip address 18.104.22.168 255.255.255.0 ! interface Vlan2
What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?
I have a issue with our ASA firewall. I have a firewall which has inside, outside and DMZ interface. I have VPN clients that connect correctly and can acces the internal network. However for the profiles I have setup to connect via VPN to the DMZ network fails with the following messages.
We need to connect from an external computer connected by cisco-vpn-client to one internal server that is behind an ASA 5505 config with Easy VPN. The VPN connection with the client to our 5520 firewall is fine, but when I try to connect to the server on the LAN, FW log says:
Routing failed to locate next hop for TCP from Internet:172.17.1.215/1108 to Lan_Interna:22.214.171.124/3389 Attached image.
I would swear this worked at one point. I have a corporate office, and I have IPSec tunnels out to my outside offices. The corporate office has an ASA5510, and most of the remote offices are running off of Pix506s, one office has an ASA5505.
When anyone connects through WebVPN, using AnyConnect or not, they can contact any of the cifs shares for servers inside the corporate office. They cannot, however, contact cifs shares on servers that are in the remote offices.
I got an asa5510. After problems with ipsec connections the log said :
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed 2. secondary took over and is now secondary - active (as per sh fail) 2. requested RMA at Cisco 3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary 4. issued wr erase and reloaded 5. copied the following commands to the new (RMA) primary unit: failover lan unit primary failover lan interface Failover Ethernet3 failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10 int eth3 no shut failover wr mem 6. installed primary unit into rack 7. plugged-in all cables (network, failover, console and power) 8. fired up the primary unit 9. expected that the unit shows: Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate. 10. but nothing happened on primary unit
What is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
I I try to ping a Host in the ITCS Network (i.e. 192.168.50.10) from the STI Interface I get the error that it failes to locate next hop. I'm quite confused buceause this network are direct attached, so the routes should be fine:
6Nov 30 201215:01:16110003192.168.3.990192.168.50.100Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.3.99/0 to STI-Netz:192.168.50.10/0
There is a PIX 506E and ASA5510, with different connection to service provider. Problem is Apple remote users can't access resources protected by the PIX506E. Apple users can access resources protected by ASA5510. Physically the PIX and ASA are in close proximity with no physical connections. Is it possible for Apple users to authenticate with the ASA and the traffic get routed to and get authenticated by the PIX, inorder to access resources?Due to bandwidth restrictions, a DMZ on the ASA will not be created at this time inorder to consolodate firewalls. Currently 2 x T1 is the connection between ASA and ISP; 1 T1 connects PIX to ISP.
I wanted an ASA to do hairpin routing. Here is the situation. A client was running there internet through a partner's WAN. They do not have a layer3 switch/router, and the defautl gateway on there network was actually the the partner's equip. They recently purchased there own internet circuit and an ASA5510. I initially tried putting in the nat exception and permit same security interface and static route on the ASA so that traffic bound for the extranet segment would be routed back out the inside interface toward the gateway to the partner's WAN. Pings worked right away, however no applications would work: no web traffic, application traffic, anything. My only guess is that the ASA does not like this in relation to stateful traffic flow, and the fact that since the partner's gateway is on the same subnet, you end up with asymentric routing.
I am having Cisco 3845 series router with c3900-universalk9-mz.SPA.151-4.M2.bin IOS . I want to install new Licence on it for DATA. When i am trying to install licence on it i am facing the error "% Error: License installation failed with error: XML parsing failed".
I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).
I have a ASA5510 with 2 internal interfaces (inside1 and inside2 same security level) configured with OSPF for dynamic routing with 2 routers to corporate subnets. I have a server in a private subnet that needs to be accessed from Internet. So static pat is used in ASA with the command
As OSPF is in use, the subnet 192.168.1.0/24 may be reachable from interface inside2. When I tried to configure the static command for inside2,
static (inside2, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255.the error message came out "WARNING: mapped-address conflict with existing static...". Is this just a warning, or this is not possible in ASA.
I have ezVPN Clients connected to the ASA5510. Those Clients are assigned an IP from 192.168.236.0/24 Pool.
I have a Router of a contractor connected to a dedicated ASA Interface called IBIZA with IP Net 10.100.10.0/24 and the Router itself with the IP 10.100.10.1. Behind that Router is another private Network which I need to reach from the ezVPN Clients.
The Connection from the ezVPN Clients to the "LAN" Interface/Network on the ASA works fine, but I cannot reach either the Contractor Router (10.100.10.1) nor the Network behind that.
From the LAN Network (on the LAN Interface) I can reach both the Contractor Router and the Network behind.
When I use the Packet Tracer Tool from the ASDM it tells me that the Traffic goes through but ends on the LAN Interface. But it should end on the IBIZA Interface or am I wrong here ?
What do I need to tell the ASA to route the Traffic from the ezVPN Client to the Contractor Router and back ? I have set up the ezVPN Connection as full-tunnel so all Traffic goes through the VPN Tunnel. That shouldn´t be the Problem.
I try to setup a ASA5510, but without success. Actually, I have Cisco1800(192.168.96.1/21) from my ISP connected to a Cisco 3825 (via port with IP 192.168.96.2) all is working good. Now I want to insert a asa firewall between ISP router and 3825.
For that, I tried a more simple config : ISProuter (192.168.96.1/21) ---- ASA outside port(192.168.96.2/255.255.255.248) ASA INSIDE port (192.168.100.1/255.255.255.0) --- a pc with IP 192.168.100.2, netsmask 255.255.255.0, gateway 192.168.100.1 From my ASA, I can ping 192.168.96.1. but a "ping INSIDE 192.168.96.1" fail from py pc, can ping 192.168.100.1, but not 192.168.96.1 Here, my ASA config :
ASA Version 7.0(8)host name cisco asa enable password 8Ry2YjIyt7RRXU24 encrypted password 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 shutdown no nameif no security-level no ip address [code]....
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
ATT notified my company we have a virus infected pc on one our networks which sits behind a Cisco ASA 5505 running 7.2(4). The set up is a basic inside/outside NAT configuration. They gave us the destination ip address and port which the our pc is contacting. I have been tasked to track down the infected pc. I created the following access-list and applied to the inside interface:
access-list VIRUS extended permit TCP ANY host x.x.x.x EQ YYYYY log debugging interval 600 access-group VIRUS in interface inside
I enable logging to the console whose output did not list the IP address of the infected pc, only the ip address of the DNS servers we were using. I then used the following capture commands to try locate the internal ip address of the infected pc:
Neither step worked and the resulting console output overwhelmed the firewall in a very short period of time. Before attempting this task again, I would like to know if I am going about this the right way or if there is a better methodology?
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?