[c-nsp] PIX IPSEC tunnel initiation (110001: No route to dst_addr from src_addr)...

Tim Bulger timb at phreakocious.net
Wed Jul 13 22:47:24 EDT 2005 

I have a truly strange problem with a PIX initiating an IPSEC tunnel.  The
error message that I get when I attempt to do a 'ping inside 172.28.8.1' is
'110001: No route to 172.28.8.1 from 172.29.8.1'.  This is an extremely
straightforward configuration and was working yesterday, but stopped during
the process of experimenting to find the optimal 'isakmp keepalive' value.
I don't have any complexity to my routing table or overlapping routes, and I
have a functional default gateway configured.  I have tried this on 6.2(4),
6.3(3), and 6.3(4).  I have stuck with 6.3(3) because with 6.3(4), I can
watch my free memory drop by about .5MB/sec until there is almost none left
and the device becomes unstable.

Sorry for the long winded email, but I don't have much hair left to tear
out. :)  Any help would be greatly appreciated.  
-Tim

Sanitized config follows:
 
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password xxxx encrypted
passwd xxxx encrypted
hostname xxxx
domain-name xxxx.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nat-bypass permit ip any 10.0.0.0 255.0.0.0 
access-list nat-bypass permit ip any 172.16.0.0 255.240.0.0 
access-list nat-bypass permit ip any 192.168.0.0 255.255.0.0
access-list inbound permit icmp any any echo 
access-list inbound permit icmp any any echo-reply 
access-list inbound permit icmp any any time-exceeded 
access-list inbound permit icmp any any unreachable 
access-list site-x-nets permit ip 172.29.1.0 255.255.255.0 172.28.1.0
255.255.255.0 
access-list site-x-nets permit ip 172.29.1.0 255.255.255.0 172.28.8.0
255.255.255.0 
access-list site-x-nets permit ip 172.29.1.0 255.255.255.0 172.28.88.0
255.255.255.0 
access-list site-x-nets permit ip 172.29.8.0 255.255.255.0 172.28.1.0
255.255.255.0 
access-list site-x-nets permit ip 172.29.8.0 255.255.255.0 172.28.8.0
255.255.255.0 
access-list site-x-nets permit ip 172.29.8.0 255.255.255.0 172.28.88.0
255.255.255.0 
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered informational
logging trap informational
logging host inside 172.29.8.222
no logging message 111008
no logging message 111007
icmp permit any outside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 222.222.222.4 255.255.255.240
ip address inside 172.29.8.1 255.255.255.0
ip address DMZ 172.29.88.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 200 interface
nat (inside) 0 access-list nat-bypass
nat (inside) 200 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 access-list nat-bypass
nat (DMZ) 200 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 222.222.222.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa authentication ssh console LOCAL
ntp server 33.33.33.33 source outside
ntp server 44.44.44.44 source outside
snmp-server host inside 172.29.8.222
no snmp-server location
no snmp-server contact
snmp-server community xxxx
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address site-X-nets
crypto map outside_map 10 set peer 1.1.1.1
crypto map outside_map 10 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth 
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 111.111.111.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
username xxxx pass xxxx priv 15
terminal width 80

More information about the cisco-nsp mailing list