Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
4
Replies

Issue with route on PC with split tunnel VPN

Go to solution
guy tec
Level 1
Level 1

‎06-07-2013 07:57 AM

Hi all,

I have the following situation:

ASA 5515X running 8.6               

I have multiple inside sub interfaces:

.10 =192.168.10.124

.11 =192.168.11.124

.12 = 192.168.12.1/24

.13 = 192.168.13.1/24

.14 = 192.168.14.1/24

Now I want to set up a IPSec remote access VPN:

I assign the range 192.168.99.5 to 192.168.99.50 for VPN clients.

I configured split tunneling for the following networks: 192.168.10.0, 192.168.11.0 and 192.168.12.0

These are also NAT exempt.

So the config looks good.

The VPN is up.

However, when connecting to the VPN none of these networks are available.

After troubleshooting, I discovered the following:

The IP address recieved on my VPN adapter is 192.168.99.5 (as expected)

However when I do a route print, I see the following:

Destination             Netmask                Gateway               Interface

192.168.10.0          255.255.255.0      192.168.99.1       192.168.99.5

192.168.11.0          255.255.255.0      192.168.99.1       192.168.99.5

192.168.12.0          255.255.255.0      192.168.99.1       192.168.99.5

The gateway in my PC's routing table is pointing to a non existing address, in my opinion it schould be set to the same address as my VPN adapter (192.168.99.5).

I did try this both with annyconnect and the classic VPN client.

Where am I going wrong?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
guibarati
Level 4
Level 4
In response to guy tec

‎06-08-2013 06:55 AM

No, this ip route pointing to 192.168.99.1 is correct. This is not the cause of the problem.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
guibarati
Level 4
Level 4

‎06-07-2013 11:50 AM

The gateway address you see on the virtual interface (the one created by VPN connection) is not important.

This address sometimes is the same address as your interface, sometimes it's blank. It doesn't matter. This is not the problem. Just ignore it and look somewhere else to keep troubleshooting.

0 Helpful

Go to solution
guy tec
Level 1
Level 1
In response to guibarati

‎06-08-2013 01:41 AM

The gateway address listed in my post is not the default gateway on my virtual VPN interface on my PC.

My virtual interface default gateway is blank, as expected.

the output I posted is the one comming from the "route print" command on my PC.

So it will send traffic to 192.168.99.1 (non existing IP) for the 3 tunneld networks, I think it should use the IP of my virtual VPN interface?

0 Helpful

Go to solution
guibarati
Level 4
Level 4
In response to guy tec

‎06-08-2013 06:55 AM

No, this ip route pointing to 192.168.99.1 is correct. This is not the cause of the problem.

0 Helpful

Go to solution
guy tec
Level 1
Level 1
In response to guibarati

‎06-11-2013 02:26 AM

Indeed, the problem was not on the ASA but on the underlying equipment.

It is also true thet the next hop for the tunneled networks varies, somtimes it is the same, sometimes its something random.

Annyway, issue resolved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents