Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2227
Views
0
Helpful
1
Replies

VPN clients missing a route to a subnet

DanielSalzedoRed5
Level 1
Level 1

‎10-06-2011 12:29 PM - edited ‎03-11-2019 02:34 PM

I have an ASA 5510 with an IPSEC VPN configuration. Clients are using the built-in Windows VPN client rather than the Cisco VPN client. There is a single LAN connection from the 5510 to our 6510 core switch. On the core switch are multiple subnets in individual VLANs. The majority of those are class C subnets carved the 10.0.0.0 class A subnet. (IE 10.2.1.0/24, 10.3.3.0/24 etc) The VPN clients get an IP address from an Address Pool on the ASA in another also a Class C subnet (10.200.0.50/24)

All this works fine, the VPN clients can browse to any internal system in the overall 10.0.0.0/8 range. However I have a set of servers in the 172.16.20.0/24 subnet and VPN clients cannot connect. This subnet is setup just the same as the others as a VLAN on the 6510. It shows up as a Static Route in the settings of the 5510.

It seems that the VPN client connection does not get the correct routing information sent to it by the ASA. I did a Route Print command on a connected VPN client who had the VPN IP address of 10.254.0.65 and got this:

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.100       20

         10.0.0.0        255.0.0.0      10.254.0.65     10.254.0.65       1

      10.254.0.65  255.255.255.255        127.0.0.1       127.0.0.1       50

   10.255.255.255  255.255.255.255      10.254.0.65     10.254.0.65       50

    68.225.20.130  255.255.255.255      192.168.0.1   192.168.0.100       20

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      169.254.0.0      255.255.0.0    192.168.0.100   192.168.0.100       20

      192.168.0.0    255.255.255.0    192.168.0.100   192.168.0.100       20

    192.168.0.100  255.255.255.255        127.0.0.1       127.0.0.1       20

    192.168.0.255  255.255.255.255    192.168.0.100   192.168.0.100       20

        224.0.0.0        240.0.0.0      10.254.0.65     10.254.0.65       50

        224.0.0.0        240.0.0.0    192.168.0.100   192.168.0.100       20

  255.255.255.255  255.255.255.255      10.254.0.65     10.254.0.65       1

  255.255.255.255  255.255.255.255    192.168.0.100   192.168.0.100       1

Default Gateway:       192.168.0.1

I noticed no route for the 172.16.20.0/24 subnet was present, so I manually added one with the following command:

route add 172.16.20.0 mask 255.255.255.0 10.254.0.65 metric 50

Once I did this the VPN client was able to connect fine to servers in the 172.16.20.0/24 subnet. However this is a manual fix that would need to be reapplied every time the client reconnects.  I need to know what I need to change on the ASA side to ensure this route is always mapped for all VPN clients.

Thanks!

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-06-2011 07:45 PM

If you configure split tunnel for the VPN on the ASA, the 172.16.20.0/24 subnet needs to be configured under the split tunnel ACL as well. This will push the route towards the VPN Client when the VPN Client connects to the ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card