Showing results for 
Search instead for 
Did you mean: 
Level 10
Level 10

Core issue

This issue is seen with an Easy VPN client router connected to a server with a Virtual Tunnel Interface (VTI) and no-split tunneling configured.

If an Easy VPN client is configured with a static route to the Internet, when the VPN comes up, it gets an additional static route out to the VPN. Therefore, the client ends up with two static routes. This breaks the VPN, as the client is unable to control which static route the traffic takes.


This is the correct and expected behavior. With no-split tunneling, all the traffic needs to be protected over the tunnel. Since VTI uses routing in order to decide which traffic must be protected, a default route needs to be installed in the case of no-split tunneling.

Note: Most routers that run the Cisco Easy VPN Client software have a default route configured. The default route that is configured must have a metric value greater than 1. The route points to the virtual access interface, so that all traffic is directed to the corporate network when the concentrator does not "push" the split tunnel attribute.

Refer to Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) for additional help.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: