07-07-2009 05:35 AM - edited 02-21-2020 03:33 AM
Hi,
When we connect to SSL Anyconnect vpn, the ip address assigned seems to be with a gateway next to the ip address being assigned & with the subnet mask as whatever subnet the range belongs to.
Like, if i assign pool of 192.168.100.1-192.168.100.14(/28)to a group, on connecting it will allocate me following:
IP addr: 192.168.100.1
SM: 255.255.255.240
GW: 192.168.100.2
1. Shouldn't VPN connections be displaying subnet mask as /32 & gateway address same as IP address assigned?
2.Why does it need to allot a gateway address? & if it is necessary, why does it default to the very next IP address?
There are no problems with connections over VPN, everything is working fine.
Curious to know these.
Please advise.Thanks.
Solved! Go to Solution.
07-15-2009 02:34 AM
Hi,
This is expected behavior and shouldn't cause any problems for your VPN connection.
Windows XP does not like the interface to be same as the gateway for a non-local route. In XP, for a local route, the gateway can and must point to the interface. In XP, for a non-local route, the gateway must not point to the interface.
Hence the change. The .1 (ie 1st IP in the subnet) was chosen randomly.
What happens if a machine with that IP exists on the private side of the ASA?
The AnyConnect interface is a virtual interface. The gateway on this interface is also meaningless. Since we are a virtual interface, no packets ever make it to the gateway mentioned in the route. We grab it , wrap it and send it out to the ASA just any other packet. After unwrapping it, it's up to the ASA to decide what to do with it.
07-15-2009 02:34 AM
Hi,
This is expected behavior and shouldn't cause any problems for your VPN connection.
Windows XP does not like the interface to be same as the gateway for a non-local route. In XP, for a local route, the gateway can and must point to the interface. In XP, for a non-local route, the gateway must not point to the interface.
Hence the change. The .1 (ie 1st IP in the subnet) was chosen randomly.
What happens if a machine with that IP exists on the private side of the ASA?
The AnyConnect interface is a virtual interface. The gateway on this interface is also meaningless. Since we are a virtual interface, no packets ever make it to the gateway mentioned in the route. We grab it , wrap it and send it out to the ASA just any other packet. After unwrapping it, it's up to the ASA to decide what to do with it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide