Cisco Systems PIX says "no route" even though there is
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
PIX says "no route" even though there is Tilman Schmidt 07-03-07
Posted by Tilman Schmidt on July 3, 2007, 8:30 pm
Please log in for more thread options
In a fully meshed VPN of several PIXen, I see log messages like this:

%PIX-6-110001: No route to 10.1.212.254 from 10.1.213.251

with a disquieting frequency, but of course always when I'm not in the
office. The network uses static routing exclusively, and by the time I
log in to the PIX in question "show route" invariably shows the route
is there as it should. Nor do I see any correlation with other log
messages such as the occasional bursts of "%PIX-7-702205: ISAKMP Phase
2 retransmission" probably caused by line problems.

What might lead a PIX to temporarily deny the existence of a static
route, and how can I diagnose that?

TIA

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Posted by Walter Roberson on July 4, 2007, 1:38 am
Please log in for more thread options
Tilman Schmidt wrote:
> In a fully meshed VPN of several PIXen, I see log messages like this:

> %PIX-6-110001: No route to 10.1.212.254 from 10.1.213.251

> The network uses static routing exclusively,

> What might lead a PIX to temporarily deny the existence of a static
> route,

If the packet arrives on the wrong interface. PIX 6 doesn't allow
routing of a packet back to the same interface it came from, no matter
what the static routes say.

Turning on reverse path verification might perhaps help track the
problem.

Posted by Tilman Schmidt on July 4, 2007, 5:19 am
Please log in for more thread options
Walter Roberson wrote:
> Tilman Schmidt wrote:
>
>> What might lead a PIX to temporarily deny the existence of a static
>> route,
>
> If the packet arrives on the wrong interface. PIX 6 doesn't allow
> routing of a packet back to the same interface it came from, no matter
> what the static routes say.
>
> Turning on reverse path verification might perhaps help track the
> problem.

Good point. I have turned that on now, we'll see what that'll turn up.

Thanks,
Tilman

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Posted by Tilman Schmidt on July 13, 2007, 8:32 am
Please log in for more thread options
Walter Roberson schrieb:
> Tilman Schmidt wrote:
>> In a fully meshed VPN of several PIXen, I see log messages like this:
>
>> %PIX-6-110001: No route to 10.1.212.254 from 10.1.213.251
>
>> The network uses static routing exclusively,
>
>> What might lead a PIX to temporarily deny the existence of a static
>> route,
>
> If the packet arrives on the wrong interface. [...]
> Turning on reverse path verification might perhaps help track the
> problem.

That didn't turn up anything.

But I notice that all the messages are for addresses that aren't
directly connected to the nearest PIX, but behind another router.
Is it possible that the PIX generates such a message when the problem
is really with the next hop router? eg.
- next hop router isn't reachable at all (no ARP reply)
- next hop router replies "ICMP unreachable" because it doesn't have
a usable route to the destination
- next hop sends the packet back to the PIX for lack of a better
route (but shouldn't it show up in a "reverse path check" log
message then?)

Thanks again for any insight.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Posted by @NOSPAMhod!SPAM.co(dot)uk on July 4, 2007, 4:25 am
Please log in for more thread options
If the PIX is trying to route the packet to a network link that has
failed it will report the error you suggest.
Have you checked the interface to see if it has suffered any outages?

TP

Tilman Schmidt wrote:
> In a fully meshed VPN of several PIXen, I see log messages like this:
>
> %PIX-6-110001: No route to 10.1.212.254 from 10.1.213.251
>
> with a disquieting frequency, but of course always when I'm not in the
> office. The network uses static routing exclusively, and by the time I
> log in to the PIX in question "show route" invariably shows the route
> is there as it should. Nor do I see any correlation with other log
> messages such as the occasional bursts of "%PIX-7-702205: ISAKMP Phase
> 2 retransmission" probably caused by line problems.
>
> What might lead a PIX to temporarily deny the existence of a static
> route, and how can I diagnose that?
>
> TIA
>

Similar ThreadsPosted
What is the default precedence: local-route, static-route, OSPF-route? August 4, 2008, 3:00 am
Need to route SMTP traffic through static interface (not default route) March 27, 2007, 5:19 pm
route-map question (how to policy route for all destinations except few subnets?) August 13, 2005, 2:05 am
Can netwrok run static route and dynamic route the same time? December 1, 2005, 1:18 pm
Using route-map to route packets coming from different networks. July 24, 2005, 8:59 am
question for static route -- default route April 1, 2009, 12:03 am
question for static route -- default route April 1, 2009, 12:04 am
pix no route to host, but there is a route February 2, 2006, 11:08 am
Remove IP Route from Route T March 28, 2007, 6:10 pm
Ip NAT outside vs. IP route. August 2, 2005, 2:30 pm
PIX no route April 7, 2006, 4:46 am
No sh ip route ? July 17, 2006, 8:17 pm
Route-Map WEB for example.. January 18, 2007, 5:30 pm
Still cannot Route. June 18, 2007, 4:55 pm
PIX says "no route" even though there is July 3, 2007, 8:30 pm
Residential Cabling Guide

Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Learn More