[c-nsp] PIX IPSEC tunnel initiation (110001: No route to
dst_addrfrom src_addr)... *FIXED*
Tim Bulger
timb at phreakocious.net
Thu Jul 14 11:50:46 EDT 2005
Add this to the list of obscure, but necessary commands as this has solved
my problem. Not entirely sure at what point I managed to remove it from the
config. Thanks to those who responded for your help, and the prize of my
undying gratitude goes to Mr. Sallee. =)
-Tim
-----Original Message-----
From: Kenny Sallee [mailto:k_sallee at yahoo.com]
Sent: Thursday, July 14, 2005 8:33 AM
To: Tim Bulger; 'Church, Chuck'; 'cisco-nsp'
Subject: RE: [c-nsp] PIX IPSEC tunnel initiation (110001: No route to
dst_addrfrom src_addr)...
What about using the command "management-access inside" on both sides of the
tunnel?
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref
/mr.htm#wp1137951
Kenny
--- Tim Bulger <timb at phreakocious.net> wrote:
> In this particular case, it doesn't even attempt isakmp or IPSec
> negotiations.. It seems to just drop the packets.
> In fact, it attempts to
> send the standard 3 pings, but the event only appears once in the log.
> If I remove the associated line from the access list, it will send the
> packet source NAT'ed to the outside IP of the firewall (as expected).
>
> -Tim
>
> -----Original Message-----
> From: Church, Chuck [mailto:cchurch at netcogov.com]
> Sent: Wednesday, July 13, 2005 9:20 PM
> To: Tim Bulger; cisco-nsp
> Subject: RE: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
>
> Does it try to bring up the tunnel when you do that, and possibly give
> you that error message when the isakmp or IPSec fails?
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key:
>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
> -----Original Message-----
> From: Tim Bulger [mailto:timb at phreakocious.net]
> Sent: Thursday, July 14, 2005 12:00 AM
> To: Church, Chuck; 'cisco-nsp'
> Subject: RE: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
>
> Pinging from the inside interface will source the packet from an IP
> address that is included as a source in the 'match address'
> access list and bring
> the tunnel up (this has always been my experience).
> Pinging from the
> outside interface results in it actually sending from the outside IP
> unencrypted. I have also tried things like 'route outside 172.28.8.0
> 255.255.255.0 default_gw' and got the same message.
> 6.2(4) had a switch
> called 'sysopt route dnat' which had no noticeable effect in any
> configuration.
>
> Thanks!
>
> http://phreakocious.net/brokenPIX.txt
>
> -----Original Message-----
> From: Church, Chuck [mailto:cchurch at netcogov.com]
> Sent: Wednesday, July 13, 2005 8:39 PM
> To: Tim Bulger; cisco-nsp
> Subject: RE: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
>
> 172.28.8.0/24 is a destination defined in the crypto map. The crypto
> stuff is all applied to the outside interface. Trying to ping it via
> the inside interface when no route is defined for it on the inside
> seems to be the cause. Try pinging it via the outside interface.
> Then again, I'm not sure
> if the locally-generated traffic will cause the IPSec tunnel to come
> up.
>
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> Team 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key:
>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> Of Tim Bulger
> Sent: Wednesday, July 13, 2005 10:47 PM
> To: 'cisco-nsp'
> Subject: [c-nsp] PIX IPSEC tunnel initiation
> (110001: No route to
> dst_addrfrom src_addr)...
>
> I have a truly strange problem with a PIX initiating
> an IPSEC tunnel.
> The
> error message that I get when I attempt to do a
> 'ping inside 172.28.8.1'
> is
> '110001: No route to 172.28.8.1 from 172.29.8.1'.
> This is an extremely
> straightforward configuration and was working
> yesterday, but stopped during
> the process of experimenting to find the optimal
> 'isakmp keepalive'
> value.
> I don't have any complexity to my routing table or
> overlapping routes, and I
> have a functional default gateway configured. I
> have tried this on 6.2(4),
> 6.3(3), and 6.3(4). I have stuck with 6.3(3)
> because with 6.3(4), I can
> watch my free memory drop by about .5MB/sec until
> there is almost none left
> and the device becomes unstable.
>
> Sorry for the long winded email, but I don't have
> much hair left to tear
> out. :) Any help would be greatly appreciated.
> -Tim
>
> Sanitized config follows:
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
>
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
More information about the cisco-nsp
mailing list