- Posts: 1
- Thank you received: 0
No route Syslog Error Pix 525 Version 7.0
19 years 2 months ago #9894
by zombie024
No route Syslog Error Pix 525 Version 7.0 was created by zombie024
I have a pix 525 running version 7.0.
The following interfaces are configured:
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0.40
vlan 40
nameif inside
security-level 100
ip address 172.17.23.30 255.255.255.0
!
interface GigabitEthernet0.201
vlan 201
nameif WAPs
security-level 90
ip address 172.17.29.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 65.199.113.30 255.255.255.0
The ICMP inspection engine is active
The following routes are configured:
S 0.0.0.0 0.0.0.0 [1/0] via 65.199.113.1, outside
C 65.199.113.0 255.255.255.0 is directly connected, outside
S 172.17.0.0 255.255.0.0 [1/0] via 172.17.23.1, inside
C 172.17.23.0 255.255.255.0 is directly connected, inside
C 172.17.29.0 255.255.255.0 is directly connected, WAPs
There is nothing else in my config which would relate to this problem. I stripped everything out to troubleshoot.
I have a laptop attached to a switch on vlan 201. The IP address of the laptop is 172.17.29.2.
I can ping the following:
1) 172.17.29.2 from 172.17.29.1
2) Any address in my network from 172.17.23.30
I am unable to ping the following:
1) 172.17.29.2 from 172.17.23.30
2) 172.17.29.2 from any address in my network
2) Any address in my network from 172.17.29.1
The following message is generated when I attempt to ping 172.17.29.2 from the inside interface of the pix:
Sep 02 2005 00:24:59: %PIX-6-110001: No route to 172.17.29.2 from 172.17.23.30
For some odd reason the pix states it is unable to find a route to a host which has a directly connected interface on the firewall. It's not complaining about an ACL or a problem with nat. Just that there is no route.
When I attempt to ping the WAPs interface from the inside interface the following message is generated:
Sep 02 2005 00:31:38: %PIX-6-110001: No route to 172.17.29.1 from 172.17.23.30
It's as if the directly connected interfaces are unable to route between each other.
I have been working on this for days and am absolutely baffled. This firewall was running version 6.3 before the upgrade and everything worked. I ended up moving everything off this firewall to another pix running 6.3 just so I could upgrade this one to try and determine why everything was failing after the upgrade.
Any ideas would be much appreciated. I read through Cisco's ASA and PIX Firewall handbook which includes Version 7.0 but was not able to make this work.
The following interfaces are configured:
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0.40
vlan 40
nameif inside
security-level 100
ip address 172.17.23.30 255.255.255.0
!
interface GigabitEthernet0.201
vlan 201
nameif WAPs
security-level 90
ip address 172.17.29.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 65.199.113.30 255.255.255.0
The ICMP inspection engine is active
The following routes are configured:
S 0.0.0.0 0.0.0.0 [1/0] via 65.199.113.1, outside
C 65.199.113.0 255.255.255.0 is directly connected, outside
S 172.17.0.0 255.255.0.0 [1/0] via 172.17.23.1, inside
C 172.17.23.0 255.255.255.0 is directly connected, inside
C 172.17.29.0 255.255.255.0 is directly connected, WAPs
There is nothing else in my config which would relate to this problem. I stripped everything out to troubleshoot.
I have a laptop attached to a switch on vlan 201. The IP address of the laptop is 172.17.29.2.
I can ping the following:
1) 172.17.29.2 from 172.17.29.1
2) Any address in my network from 172.17.23.30
I am unable to ping the following:
1) 172.17.29.2 from 172.17.23.30
2) 172.17.29.2 from any address in my network
2) Any address in my network from 172.17.29.1
The following message is generated when I attempt to ping 172.17.29.2 from the inside interface of the pix:
Sep 02 2005 00:24:59: %PIX-6-110001: No route to 172.17.29.2 from 172.17.23.30
For some odd reason the pix states it is unable to find a route to a host which has a directly connected interface on the firewall. It's not complaining about an ACL or a problem with nat. Just that there is no route.
When I attempt to ping the WAPs interface from the inside interface the following message is generated:
Sep 02 2005 00:31:38: %PIX-6-110001: No route to 172.17.29.1 from 172.17.23.30
It's as if the directly connected interfaces are unable to route between each other.
I have been working on this for days and am absolutely baffled. This firewall was running version 6.3 before the upgrade and everything worked. I ended up moving everything off this firewall to another pix running 6.3 just so I could upgrade this one to try and determine why everything was failing after the upgrade.
Any ideas would be much appreciated. I read through Cisco's ASA and PIX Firewall handbook which includes Version 7.0 but was not able to make this work.
19 years 2 months ago #10255
by tomcatty
Replied by tomcatty on topic Re: No route Syslog Error Pix 525 Version 7.0
I'm having exactly the same problem after upgrading from 6.3.1 to 6.3.3. Anyone help?
- TheeGreatCornholio
- Offline
- Junior Member
Less
More
- Posts: 24
- Thank you received: 0
19 years 1 month ago #10318
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: No route Syslog Error Pix 525 Version 7.0
Guys,
I've seen this a lot. I've had a lot of conversations with PIX developers to try and understand just WTF the PIX thinks it's doing. In the end, it all has to do with the way the PIX processes traffic (i.e. it's order of operation). The most important thing to remember about the PIX is that one of the first things it attempts to do is NAT, even before it looks at the routing table. This message will typically appear if the PIX has a descrepancy between the NAT table and the routing table.
Your configuration output is missing information about your NAT translations (globals, nats, statics). This is most likely the section of the configuration where the problems are. Yes, even though the logs say it's a routing problem, it's not. It is NAT. If you are willing, drop your entire config in your reply and I will be able to pin point your exact problem.
I hope this helps you out...
I've seen this a lot. I've had a lot of conversations with PIX developers to try and understand just WTF the PIX thinks it's doing. In the end, it all has to do with the way the PIX processes traffic (i.e. it's order of operation). The most important thing to remember about the PIX is that one of the first things it attempts to do is NAT, even before it looks at the routing table. This message will typically appear if the PIX has a descrepancy between the NAT table and the routing table.
Your configuration output is missing information about your NAT translations (globals, nats, statics). This is most likely the section of the configuration where the problems are. Yes, even though the logs say it's a routing problem, it's not. It is NAT. If you are willing, drop your entire config in your reply and I will be able to pin point your exact problem.
I hope this helps you out...
18 years 4 weeks ago #17689
by robi_asa
Replied by robi_asa on topic Re: No route Syslog Error Pix 525 Version 7.0
Hi,
I have the same problem. How did you solve it ?
bye
I have the same problem. How did you solve it ?
bye
18 years 4 weeks ago #17713
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: No route Syslog Error Pix 525 Version 7.0
I would also be interesting in seeing the complete config to take a look at this problem.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 6 months ago #21752
by shirpala
Replied by shirpala on topic Great feedback
Gentlemen,
This was a great feedback. Thank you. After I read the comment regarding nat, I checked my static statement and it took care of the no route error message. You guy rock, now I can go enjoy my weekend:-)
This was a great feedback. Thank you. After I read the comment regarding nat, I checked my static statement and it took care of the no route error message. You guy rock, now I can go enjoy my weekend:-)
Time to create page: 0.140 seconds