Static Route with Wrong Next-Hop IP — Packets Dropped
Presenting Symptom
Users in Branch A cannot reach the server in Branch B, and pings from Branch A router to Branch B server fail.
Network Context
Two branch offices (Branch A and Branch B) are connected via a WAN link. Each branch has a Cisco 4321 router running IOS XE 16.9. Branch A LAN is 192.168.1.0/24, Branch B LAN is 192.168.2.0/24. The WAN link uses 10.0.0.0/30. A static route on Branch A router points to Branch B LAN with next-hop 10.0.0.2, but the correct next-hop should be 10.0.0.2 (the Branch B router's WAN interface). However, the static route was misconfigured with next-hop 10.0.0.3, which does not exist.
Diagnostic Steps
Check routing table on Branch A router
show ip route 192.168.2.0Routing entry for 192.168.2.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.0.0.3
Route metric is 0, traffic share count is 1The route exists but points to next-hop 10.0.0.3. If the next-hop is not reachable (no ARP entry), packets will be dropped. A correct route should show next-hop 10.0.0.2.
Check ARP table for the next-hop
show ip arp 10.0.0.3No ARP entry for 10.0.0.3 or <no output>
If no ARP entry exists, the router cannot resolve the next-hop IP to a MAC address, so packets are dropped. A valid next-hop should have an ARP entry.
Verify connectivity to the correct next-hop
ping 10.0.0.2!!!!!
Pinging the correct next-hop succeeds, confirming that the WAN link is up and the Branch B router is reachable. This rules out a Layer 1/2 issue.
Examine the static route configuration
show running-config | include ip route 192.168.2.0ip route 192.168.2.0 255.255.255.0 10.0.0.3
The static route is misconfigured with next-hop 10.0.0.3 instead of 10.0.0.2. This is the root cause.
Root Cause
The static route on Branch A router for the Branch B LAN (192.168.2.0/24) has an incorrect next-hop IP address (10.0.0.3). The router attempts to forward packets to 10.0.0.3, which does not exist on the directly connected WAN link, so ARP resolution fails and packets are dropped.
Resolution
Verification
Run the following commands to confirm: show ip route 192.168.2.0 Expected output: Routing entry for 192.168.2.0/24 via 10.0.0.2 ping 192.168.2.1 (Branch B server IP) Expected output: !!!!! (successful pings)
Prevention
1. Use a next-hop IP that is directly connected and reachable. 2. Always verify static routes with 'show ip route' after configuration. 3. Consider using exit interface instead of next-hop IP to avoid ARP issues (e.g., 'ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0/0').
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests troubleshooting of static routing. Questions may present a similar symptom and ask to identify the misconfigured next-hop. The exam expects candidates to use 'show ip route' and 'show ip arp' to diagnose and correct the issue.
Exam Tips
Always check the routing table first to see if the route exists and what next-hop is used.
Remember that a static route with an unreachable next-hop will not be installed in the routing table (if the next-hop is not directly connected) or will cause packet drops (if directly connected but wrong IP).
The command 'show ip route static' can quickly display all static routes.
Commands Used in This Scenario
ping [ip]
The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.
show ip arp
Displays the Address Resolution Protocol (ARP) cache, mapping IP addresses to MAC addresses on a router or switch, used to verify connectivity and troubleshoot Layer 2 issues.
show ip route
Displays the current IP routing table on a Cisco router, used to verify routes, check next-hop addresses, and troubleshoot connectivity issues.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions