Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1537
Views
0
Helpful
0
Comments

Easy VPN hardware clients with VTI configured for no-split tunneling break with the default route pushed by the server

TCC_2
Level 10
Level 10

on ‎06-22-2009 05:09 PM

Core issue

This issue is seen with an Easy VPN client router connected to a server with a Virtual Tunnel Interface (VTI) and no-split tunneling configured.

If an Easy VPN client is configured with a static route to the Internet, when the VPN comes up, it gets an additional static route out to the VPN. Therefore, the client ends up with two static routes. This breaks the VPN, as the client is unable to control which static route the traffic takes.


Resolution

This is the correct and expected behavior. With no-split tunneling, all the traffic needs to be protected over the tunnel. Since VTI uses routing in order to decide which traffic must be protected, a default route needs to be installed in the case of no-split tunneling.


Note: Most routers that run the Cisco Easy VPN Client software have a default route configured. The default route that is configured must have a metric value greater than 1. The route points to the virtual access interface, so that all traffic is directed to the corporate network when the concentrator does not "push" the split tunnel attribute.

Refer to Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) for additional help.
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents