cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3795
Views
10
Helpful
21
Replies

RV340 VPN only allowing access to 10 addresses

zardoz001b
Level 1
Level 1

I have two RV340 routers setup at various locations, and are working properly with this exception.  When I initiate a client-to-site vpn, I can only access approximately 10 ip addresses on the internal network.  I haven't found anywhere in the configurations of the router where the remote network is defined or anything, which would be my first thought.  Any insights?

1 Accepted Solution

Accepted Solutions

nagrajk1969
Spotlight
Spotlight

Hi Zardoz

 

Based on your points, the attached schematic is my understanding of your network deployment at one of the 2 sites using RV340

 

Since you mentioned 3 layer3 switches all in same vlan1, then each of the switches must already be confifured with say the ipaddresses for example 10.223.219.1, 10.223.219.2, 10.223.219.3...and for these switches to respond to the access requests coming from the anyconnect-client (with ipaddr 10.223.221.x), then each of the switches have to be configured with the def-gw ipaddr of 10.223.219.254

 

Since you say Printers are accessible, then i think they are correctly confugured with the def-gw as 10.223.219.254 (the rv340 lan interface address)

 

Double check again...

 

hope this helps you solving your issue

 

View solution in original post

21 Replies 21

Richard Burts
Hall of Fame
Hall of Fame

We do not have much information to work with. You mention 2 RV340 routers. Are both routers involved in this or is it just one? You mention a client to site vpn, is this a vpn from a PC to a router (vpn client on PC)? It might help our understanding of the issue if you show us the router config.

HTH

Rick

Ok.  Let me clarify a bit.  I have one of them with two clients, and both are doing the exact same thing.  So the two routers aren't interacting at all with each other.  It's from a PC/Mac to the router.  

Am I correct in understanding that there are 2 clients, both going to the same router and both clients have the same symptoms? What is the vpn client the PCs are using?

 

I tried to find vpn information in the file that you attached but found it very difficult to decipher. Most of what I could find in it relating to vpn seems to be more about alterting for vpn events than it was about configuring the vpn.

HTH

Rick

I wasn’t as clear as I should have been.  Two completely separate clients, with the same router, and both are doing the exact same thing.  So if we can figure out one, then it will take care of both.  

As to the config file, that’s what I got directly from one of the routers.  Normally, with other routers, I can define what network is visible across the vpn.  I don’t see that option available in the rv340.  

hope this clarifies everything a bit better.

Since you did not answer my question about which vpn client the PCs are using it is difficult to know if there might be something specific to that client. But in looking through the documentation for RV340 for client to site vpn there is an option to configure the split tunnel table, which is what defines the networks, or addresses, that the client can access. Please check your RV340 configuration for what is configured in the split tunnel table and let us know what you find.

HTH

Rick

I misread your question.  I’m using the Cisco anyconnect client.  The split tunnel config is set for their internal /24 network.  Like I was saying originally, I’m able to see some of the network.  More random ip addresses than anything else.  But only about 10 of them, throughout the entire network.

Can you tell us from a client who is running AnyConnect and experiencing the issue under statistics what shows up under secure routes? It would also help us better understand what is going on if you would tell us what network(s) on the RV340 the client would want to access.

HTH

Rick

I’ll have to look that up a little later as I’m not in front of my pc.  As to the network, it’s the entire lan subnet, and in the split tunnel is set accordingly.  I want to be careful not to expose the addresses obviously.  But the idea would be if the lan was set up as 192.168.10.0/24, I have it set or so I think, to access those 254 addresses.  It’s not that specific subnet, but you get the idea.

Am I understanding correctly that the LAN connected to the RV340 is using some registered Public IP subnet? I can understand not wanting to expose that. And am I correct in understanding that whatever the address block is for the LAN and its mask are exactly what is configured in the split tunnel list?

 

I have read through the complete discussion again and have a couple of things to mention. 

- You said " I haven't found anywhere in the configurations of the router where the remote network is defined" For Remote Access vpn there would not be anything configured about the remote network where the client is. Depending on where the client is it might connect to the router using one of many different addresses. It does not matter to the router where the client is coming from - it only matters that it requests vpn and is able to successfully authenticate. Once the vpn is established the client is assigned an IP address from a subnet associated with the router which it will use during the vpn session.

- in the original post you describe the vpn as client-to-site vpn. As I have looked at the documentation for RV340 they seem to describe client-to-site vpn as something different from AnyConnect. Was the RV340 configured using the client-to-site vpn tab or using the AnyConnect tab?

- in one of the posts you provided clarification saying "I have one of them with two clients".  Is that 2 remote PCs both running the AnyConnect client? Or is that 2 remote PC one running AnyConnect and the other running some other client?

 

HTH

Rick

The internal lan isnt on a public IP.  I'm just a little particular about giving away addresses.  But as its an internal address, I suppose it doesn't really matter.  The internal subnet is 10.223.219.0/24.  Forgive me also about the terminology, but Anyconnect is a flavor of a client to site vpn at least I would think, but forgive me if I'm wrong in that.  Anyways, the secured routes are as follows:

 

10.223.219.0/24

10.223.219.254/32

8.8.8.8/32

 

To clarify, its my company's clients, not a client for the routers per se.  Each of my client locations has one of these routers and both are experiencing the same issue.  Again forgive me for the confusion.  That's just more for extra information i suppose as once one is working properly, the fix can be applied to the second and get it working.  So at this point, we just need to focus on one of the routers.

 

Again, forgive the confusion.  This week has been a bit of a mess and my brain has been having difficulty forming exactly what im thinking at the time.  LOL!

I do understand (and sympathize with) "particular about giving away addresses". But there needs to be some reasonableness applied to it. Knowing either 10.223.219.0/24 or 192.168.10.0/24 makes no difference in degree of threat to your network. And the effort to disguise the address just makes it more difficult for you and increases the chances of some mistake sneaking into a description.

 

I know that terminology can become a bit tricky. I can only work with the limited information that I have access to. You state "but Anyconnect is a flavor of a client to site vpn". Yes it is a flavor, but there are multiple favors and the RC340 seems to treat them differently.  If one place refers to client to site vpn I look at the RV340 docs and find information about that. If another place refers to AnyConnect I find RV340 information about that which is quite different. I just need to understand which context is the more important one. Perhaps showing some screen shots of the RV340 vpn configuration might clarify what I should be focusing on?

 

There is also confusion about client about client as in customer or client as in the software used on PC for vpn. So you have 2 customer/clients who each have an RC340 router and they have PC vpn client software to establish vpn connections?

HTH

Rick

Ok.  To completely clarify, I have 2 customers that have the RV340 router.  Both, using the Anyconnect client, cannot see all of the addresses on the internal subnets.  Really it only matters about one customer as the fix should carry to the other customer theoretically as they are configured identically for Anyconnect.  I have attached the screenshots of one of the two configs for Anyconnect.  Hopefully this sheds some light on things.

 

You're right about the IP addressing as it really doesn't make a difference about the internal addressing.  It's the external that makes the difference.  Forgive me, its been a really long week with multiple nights just surviving on mountain dew.  

 

 

Thank you for the screenshots. They do confirm that this is AnyConnect vpn, that split tunnel is used so traffic from the client to the Internet would go to the Internet without using the vpn, and traffic from the client to the subnet associated with the RV340 would go through the tunnel. This is as expected.

 

The next step would be to get an AnyConnect session to the RV340 and then to get the secured routes as shown by AnyConnect. It might also be helpful to see output from the RV340 for its connected interfaces and its arp table.

HTH

Rick

nagrajk1969
Spotlight
Spotlight

Hi Zardoz,

 

I believe your client's RV340 deployment is like this below (as understood from the screenshots you had posted)

 

{Internal-lan:10.12.250.0/24}-----10.12.250.1(vlan1-ip)[rv340router]wan1------[Internet]----[AnyConnect-SSL-VPN-Client-PCs]

 

Now from the screenshots, the below is what i understand of the config applied on RV340:

 

1. The SSL-VPN server is configured with a subnet 10.12.252.0/255.255.255.192, which means that it is configured to assign about 62 ipaddresses in the 10.12.252.0/26 subnet (the ipaddr 10.12.252.0 is the network-address and 10.12.252.63/26 will be the broadcast address and therefore are not assigned to any clients)

- so let us assume that 1 AnyConnect-Client is connected to the SSL-VPN server on RV340 and is been assigned the ipaddress 10.12.252.2 for example

 

2. In the SSL-VPN-Default-Profile on the server, you have configured a subnet 10.12.250.0/24 in the "split-tunnel" networks

 

a) this would mean that once the AnyConnect-client has established the ssl-vpn tunnel to the RV340, it can access "ALL" hosts/servers in the Internal-Lan network which have been configured with the ipaddresses 10.12.250.x

 

b) this should also mean that the Anyconnect-client can also connect to 10.12.250.252 which is the primary-dns server of your Internal-Lan network behind RV340

 

3. As far as i can understand and see from the config applied, once your AnyConnect Clients have successfully established the sslvpn tunnel to RV340, they should be able to access ALL the hosts with the ipaddress 10.12.250.x in the internal-lan

- The configs applied is very correct and simple...there is no confusion or ambiqguity in the config applied for the ssl-vpn-server on RV340

- And iam also assuming that the AnyConnect clients are able to establish the tunnel connection to the RV340 successfully

 

4.So now you have to ask the below questions for yourselves and find the below answers:

 

a) After the connection is established, can the AnyConnect-Client ping to 10.12.250.252?

- If yes, Check the ip-address config on this primary-dns-server 10.12.250.252 and see whether this host has the "default-gw-ipaddr" configured as 10.12.250.1 (the lan-interface ipaddress of the RV340)

- If NO, then please configure the default-gw-ipaddre of this dns-server to the lan-ipaddres of RV340 (10.12.250.1)...then it will work for sure

 

b) After the connection is established, note down which of the ipaddresses the AnyConnect client can ping and connect to (using tcp/udp connections, etc...whatever service you are trying to use on the internal-network from the AnyConnect client)

- As you mentioned the client is able to access only 10 addresses....

- Are these 10 hosts ip-addresses in the same subnet 10.12.250.0/24????

- Are these 10 hosts configured with the "default-gw-ipaddr" of 10.12.250.1 (the lan-interface ipaddr of RV340)???

- I think the answer would be yes, they are configured with the correct default-gw ipaddr as the lan-interface ipaddr of RV340, and that is why the AnyConnect client is able to communicate with these 10 hosts

 

c) Are all the hosts in the 10.12.250.0/24 lan-network configured with the default-gw ipaddress as the RV340 lan-interface ipaddress 10.12.250.1???

 

 

- regards and best wishes

 

 

 

 

 

 

 

 

 

Review Cisco Networking for a $25 gift card