No route Syslog Error Pix 525 Version 7.0

I have a pix 525 running version 7.0.

The following interfaces are configured:


interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0.40
vlan 40
nameif inside
security-level 100
ip address 172.17.23.30 255.255.255.0
!
interface GigabitEthernet0.201
vlan 201
nameif WAPs
security-level 90
ip address 172.17.29.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 65.199.113.30 255.255.255.0

The ICMP inspection engine is active

The following routes are configured:

S 0.0.0.0 0.0.0.0 [1/0] via 65.199.113.1, outside
C 65.199.113.0 255.255.255.0 is directly connected, outside
S 172.17.0.0 255.255.0.0 [1/0] via 172.17.23.1, inside
C 172.17.23.0 255.255.255.0 is directly connected, inside
C 172.17.29.0 255.255.255.0 is directly connected, WAPs

There is nothing else in my config which would relate to this problem. I stripped everything out to troubleshoot.

I have a laptop attached to a switch on vlan 201. The IP address of the laptop is 172.17.29.2.

I can ping the following:

1) 172.17.29.2 from 172.17.29.1
2) Any address in my network from 172.17.23.30

I am unable to ping the following:

1) 172.17.29.2 from 172.17.23.30
2) 172.17.29.2 from any address in my network
2) Any address in my network from 172.17.29.1

The following message is generated when I attempt to ping 172.17.29.2 from the inside interface of the pix:

Sep 02 2005 00:24:59: %PIX-6-110001: No route to 172.17.29.2 from 172.17.23.30

For some odd reason the pix states it is unable to find a route to a host which has a directly connected interface on the firewall. It's not complaining about an ACL or a problem with nat. Just that there is no route.

When I attempt to ping the WAPs interface from the inside interface the following message is generated:

Sep 02 2005 00:31:38: %PIX-6-110001: No route to 172.17.29.1 from 172.17.23.30

It's as if the directly connected interfaces are unable to route between each other.

I have been working on this for days and am absolutely baffled. This firewall was running version 6.3 before the upgrade and everything worked. I ended up moving everything off this firewall to another pix running 6.3 just so I could upgrade this one to try and determine why everything was failing after the upgrade.

Any ideas would be much appreciated. I read through Cisco's ASA and PIX Firewall handbook which includes Version 7.0 but was not able to make this work.

I'm having exactly the same problem after upgrading from 6.3.1 to 6.3.3. Anyone help?

Guys,

I've seen this a lot. I've had a lot of conversations with PIX developers to try and understand just WTF the PIX thinks it's doing. In the end, it all has to do with the way the PIX processes traffic (i.e. it's order of operation). The most important thing to remember about the PIX is that one of the first things it attempts to do is NAT, even before it looks at the routing table. This message will typically appear if the PIX has a descrepancy between the NAT table and the routing table.

Your configuration output is missing information about your NAT translations (globals, nats, statics). This is most likely the section of the configuration where the problems are. Yes, even though the logs say it's a routing problem, it's not. It is NAT. If you are willing, drop your entire config in your reply and I will be able to pin point your exact problem.

I hope this helps you out...

Hi,
I have the same problem. How did you solve it ?
bye

I would also be interesting in seeing the complete config to take a look at this problem.

Gentlemen,
This was a great feedback. Thank you. After I read the comment regarding nat, I checked my static statement and it took care of the no route error message. You guy rock, now I can go enjoy my weekend:-)