Hi, I am looking for some assistance with configuring/troubleshooting our Remote Access VPN settings in part of access Internet through VPN connection.
We use Cisco 5516-x with Firepower Management Center.
We already configured two connection profiles. The first one, with Split tunneling, works perfectly, both the Internet and access to our networks working as they should. Second connection profile with "Allow all traffic over tunnel" in split tunneling option, grant access only to local networks, Internet access through VPN not working, this is what we want to deal with.
We use two providers scheme, ISP1 grants Internet access, with default route metric 1. ISP2 grants VPN access with default route metric 2. I allowed ISP2 to ISP1 traffic with source VPN address pool and destination any addresses in ACL. Also, I created a dynamic NAT rule which should translate IP address from VPN address pool to external IP of ISP1 interface (like I did to NAT traffic from local networks to the Internet).
Also, I tried Packet Tracer with source IP: IP from VPN address pool, dest IP: 22.214.171.124, and it seems OK. PT shows me Allow. But in Real life, it doesn't work for some reason
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop ISP1_GW_IP using egress ifc outside_ISP1 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip ifc outside_ISP2 object VPNPool-10.72.1.0-24 ifc outside_ISP1 any rule-id 268436480 access-list CSM_FW_ACL_ remark rule-id 268436480: ACCESS POLICY: Base Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268436480: L7 RULE: VPN_to_Internet Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class_map_AllowAll match access-list AllowAll policy-map global_policy class class_map_AllowAll set connection timeout idle 1:00:00 embryonic 0:00:30 half-closed 0:10:00 idle 1:00:00 DCD: disabled, retry-interval 0:00:15, max-retries 5 DCD: client-probe 0, server-probe 0, conn-expiration 0 set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 4 Type: NAT Subtype: Result: ALLOW Config: object network VPNPool-10.72.1.0-24 nat (outside_ISP2,outside_ISP1) dynamic interface Additional Information: Dynamic translate 10.72.1.5/0 to ISP1_ASA_IP/15209 Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 4088964, packet dispatched to next module Phase: 13 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP Session: new snort session Firewall: allow rule, 'VPN_to_Internet' , allow Snort id 0, NAP id 2, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet Phase: 15 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop ISP1_GW_IP using egress ifc outside_ISP1 Phase: 16 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 04b0.e7a8.2a2d hits 10 reference 1 Result: input-interface: outside_ISP2 input-status: up input-line-status: up output-interface: outside_ISP1 output-status: up output-line-status: up Action: allow
How can we overcome this issue?
I also tried to play with Tunneled checkbox in Static Route options for the default route, but it gave me no effect.
The issue is still opened, any suggestions?
(Optional) For a default route, click the Tunneled checkbox to define a separate default route for VPN traffic.
You can define a separate default route for VPN traffic if you want your VPN traffic to use a different default route than your non VPN traffic. For example, traffic incoming from VPN connections can be easily directed towards internal networks, while traffic from internal networks can be directed towards the outside. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the device that cannot be routed using learned or static routes, is sent to this route. You can configure only one default tunneled gateway per device. ECMP for tunneled traffic is not supported.
Ways to fix-
1. Repair the installation
In the Windows Search bar, type Control and open Control Panel.cisco vpn windows 10 not working
Click Uninstall a program in the bottom left corner.cisco vpn windows 10 not working
Click on the Cisco System VPN client and choose Repair.
Follow the instructions until the installation is repaired.
Let’s start by repairing the installation. Lots of third-party applications tend to break after a major update is administered. That’s why it is always recommended to reinstall them after the update is installed.
Even better, if you want to avoid one of the numerous update/upgrade errors, uninstalling is a viable choice.
However, if you’ve not uninstalled Cisco VPN prior to an update, instead of reinstallation, you should try out repairing the present installation first.
If you’re not sure how to repair the Cisco VPN, follow the steps we provided above.
2. Allow VPN to freely communicate through Firewall
In the Windows Search bar, type Allow an app and open Allow an app through Windows Firewall.
Click Change settings.
Make sure that Cisco VPN is on the list, and it’s allowed to communicate through Windows Firewall.
If that’s not the case, click Allow another app and add it.cisco vpn windows 10 not working
Check both Private and Publicrong> network boxes.
Confirm changes and open the Cisco VPN.
System updates can, quite frequently, change the system settings and preferences to default values. This misdeed, of course, can affect Windows Defender settings as well.
If that’s the case, chances are that lots of third-party apps that require free traffic through the Firewall won’t work. Including the Cisco VPN client.
That’s why we encourage you to check the settings and confirm that the app is indeed allowed in Windows Firewall settings.
3. Tweak the Registry
Right-click on the Start button and open Device Manager.
Expand Network adapters.network adapters
Right-click on Virtual Adapter and update it.
Restart your PC.
Like many other integrating VPN solutions, Cisco VPN comes with the specific associated Virtual Network Adapter. The failure of this device is another common occurrence, and it’s accompanied by the error code 442.
The first thing you can do if this error occurs is checking the Virtual Adapter driver in the Device Manager.
Now, if that fails to resolve the issue, you can try a Registry tweak which seems to address it fully. This requires administrative permission, in order to make changes to Registry.
Furthermore, we strongly suggest treading carefully since untaught meddling with Registry can result in a system failure.
Follow these steps to tweak Registry and repair Cisco VPN:
Type Regedit in the Windows Search bar and open Registry Editor.
Copy-paste the following path in the address bar:
HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtAcisco vpn windows 10 not working
Right-click on the DisplayName registry entry and choose Modify.
Under the Value Data section, make sure that the only body of text which stands is the Cisco Systems VPN Adapter.
For the 64bit version, the text is the Cisco Systems VPN Adapter for 64-bit Windows.
Save changes and try running Cisco VPN again.