[c-nsp] PIX IPSEC tunnel initiation (110001: No route to dst_addrfrom src_addr)...

Kenny Sallee k_sallee at yahoo.com
Thu Jul 14 11:32:33 EDT 2005


What about using the command "management-access
inside" on both sides of the tunnel?

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951


Kenny

--- Tim Bulger <timb at phreakocious.net> wrote:

> In this particular case, it doesn't even attempt
> isakmp or IPSec
> negotiations.. It seems to just drop the packets. 
> In fact, it attempts to
> send the standard 3 pings, but the event only
> appears once in the log.  If I
> remove the associated line from the access list, it
> will send the packet
> source NAT'ed to the outside IP of the firewall (as
> expected).
> 
> -Tim
> 
> -----Original Message-----
> From: Church, Chuck [mailto:cchurch at netcogov.com] 
> Sent: Wednesday, July 13, 2005 9:20 PM
> To: Tim Bulger; cisco-nsp
> Subject: RE: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
> 
> Does it try to bring up the tunnel when you do that,
> and possibly give you
> that error message when the isakmp or IPSec fails? 
> 
> 
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key:
>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
> 
> 
> -----Original Message-----
> From: Tim Bulger [mailto:timb at phreakocious.net]
> Sent: Thursday, July 14, 2005 12:00 AM
> To: Church, Chuck; 'cisco-nsp'
> Subject: RE: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
> 
> Pinging from the inside interface will source the
> packet from an IP address
> that is included as a source in the 'match address'
> access list and bring
> the tunnel up (this has always been my experience). 
> Pinging from the
> outside interface results in it actually sending
> from the outside IP
> unencrypted.  I have also tried things like 'route
> outside 172.28.8.0
> 255.255.255.0 default_gw' and got the same message. 
> 6.2(4) had a switch
> called 'sysopt route dnat' which had no noticeable
> effect in any
> configuration.
> 
> Thanks!
> 
> http://phreakocious.net/brokenPIX.txt
> 
> -----Original Message-----
> From: Church, Chuck [mailto:cchurch at netcogov.com]
> Sent: Wednesday, July 13, 2005 8:39 PM
> To: Tim Bulger; cisco-nsp
> Subject: RE: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
> 
> 172.28.8.0/24 is a destination defined in the crypto
> map.  The crypto stuff
> is all applied to the outside interface.  Trying to
> ping it via the inside
> interface when no route is defined for it on the
> inside seems to be the
> cause.  Try pinging it via the outside interface. 
> Then again, I'm not sure
> if the locally-generated traffic will cause the
> IPSec tunnel to come up.
> 
> 
> 
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> Team 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key:
>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> Of Tim Bulger
> Sent: Wednesday, July 13, 2005 10:47 PM
> To: 'cisco-nsp'
> Subject: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
> 
> I have a truly strange problem with a PIX initiating
> an IPSEC tunnel.
> The
> error message that I get when I attempt to do a
> 'ping inside 172.28.8.1'
> is
> '110001: No route to 172.28.8.1 from 172.29.8.1'. 
> This is an extremely
> straightforward configuration and was working
> yesterday, but stopped during
> the process of experimenting to find the optimal
> 'isakmp keepalive'
> value.
> I don't have any complexity to my routing table or
> overlapping routes, and I
> have a functional default gateway configured.  I
> have tried this on 6.2(4),
> 6.3(3), and 6.3(4).  I have stuck with 6.3(3)
> because with 6.3(4), I can
> watch my free memory drop by about .5MB/sec until
> there is almost none left
> and the device becomes unstable.
> 
> Sorry for the long winded email, but I don't have
> much hair left to tear
> out. :)  Any help would be greatly appreciated.  
> -Tim
> 
> Sanitized config follows:
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 


More information about the cisco-nsp mailing list