VPN clients missing a route to a subnet

DanielSalzedoRed5 — Mon, 11 Mar 2019 21:34:57 GMT

I have an ASA 5510 with an IPSEC VPN configuration. Clients are using the built-in Windows VPN client rather than the Cisco VPN client. There is a single LAN connection from the 5510 to our 6510 core switch. On the core switch are multiple subnets in individual VLANs. The majority of those are class C subnets carved the 10.0.0.0 class A subnet. (IE 10.2.1.0/24, 10.3.3.0/24 etc) The VPN clients get an IP address from an Address Pool on the ASA in another also a Class C subnet (10.200.0.50/24)

All this works fine, the VPN clients can browse to any internal system in the overall 10.0.0.0/8 range. However I have a set of servers in the 172.16.20.0/24 subnet and VPN clients cannot connect. This subnet is setup just the same as the others as a VLAN on the 6510. It shows up as a Static Route in the settings of the 5510.

It seems that the VPN client connection does not get the correct routing information sent to it by the ASA. I did a Route Print command on a connected VPN client who had the VPN IP address of 10.254.0.65 and got this:

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 20

10.0.0.0 255.0.0.0 10.254.0.65 10.254.0.65 1

10.254.0.65 255.255.255.255 127.0.0.1 127.0.0.1 50

10.255.255.255 255.255.255.255 10.254.0.65 10.254.0.65 50

68.225.20.130 255.255.255.255 192.168.0.1 192.168.0.100 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

169.254.0.0 255.255.0.0 192.168.0.100 192.168.0.100 20

192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 20

192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 20

192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 20

224.0.0.0 240.0.0.0 10.254.0.65 10.254.0.65 50

224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 20

255.255.255.255 255.255.255.255 10.254.0.65 10.254.0.65 1

255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1

Default Gateway: 192.168.0.1

I noticed no route for the 172.16.20.0/24 subnet was present, so I manually added one with the following command:

route add 172.16.20.0 mask 255.255.255.0 10.254.0.65 metric 50

Once I did this the VPN client was able to connect fine to servers in the 172.16.20.0/24 subnet. However this is a manual fix that would need to be reapplied every time the client reconnects. I need to know what I need to change on the ASA side to ensure this route is always mapped for all VPN clients.

Thanks!

VPN clients missing a route to a subnet

Jennifer Halim — Fri, 07 Oct 2011 02:45:56 GMT

If you configure split tunnel for the VPN on the ASA, the 172.16.20.0/24 subnet needs to be configured under the split tunnel ACL as well. This will push the route towards the VPN Client when the VPN Client connects to the ASA.

topic VPN clients missing a route to a subnet in Network Security

VPN clients missing a route to a subnet

VPN clients missing a route to a subnet