Windows 7 VPN client 5.0.07 0410 wrong default gateway

b_learoyd · ‎01-21-2011

This is terminating on an ASA c5510 sec+ running 8.3(2) Client devices running XP with the same VPN client get an address from the ASA pool e.g. 10.10.50.1 with no default gateway. Users are able to connect without a problem. Windows 7 (32bit) clients with this same VPN client get this address but get a default gateway 10.10.50.2 and are unable to connect for obvious reasons.

Things tried so far:

after re-imageing the client device (to re-gain virgin OS install) doing a DNE pre-install then deleteing ndis.sys and allowing W7 to do recovery
checking advance settings under network to ensure that the Virtual adapter is top of the stack
checked NIC driver (grasping at straws)
debugged ISA/IPSEC to check gateway is not being pushed by the ASA
tried route delete, route add to adjust the gateway on the client (desperation)
even though the NIC settings on the Virtual Adapter are set to DHCP when you look at the settings with the VPN connected these are changed (by something?) to define the rougue gateway as a static variable (confusion)

All of this has proved futile and I'm now out of ideas.

Who knows how to fix it ? This can't be the first instance of this.

Thanks in Advance.

Barry

rahgovin · ‎01-21-2011

This is expected behaviour from Vista onwards as it does not allow the default gateway to be the same as the ip address assigned, hence the next ip address in the pool is given. But the behaviour is still the same. From what you have said, you are able to connect using Win XP but not Win7 right? Are you using any kind of Broadband card on Win 7 to connect?

b_learoyd · ‎01-21-2011

Hi Rahul,

no broadband card just the onboard NIC (laptop)

Correct - can connect when everything else is the same except that the OS is XP

Connection to the Internet is via an ADSL broadband router cat5 (not wLAN)

I have a ticket open with Cisco TAC - the race is on to find the answer before they do

Regards

Barry

rahgovin · ‎01-21-2011

:-) I would check to see if you are encapsulating packets at all from the client side. This can be seen on the statistics. Also a capture on the vpn adapater would help.

Do you have split tunneling configured? Are you able to hit the internet once connected?

b_learoyd · ‎01-24-2011

Hi Rahul,

yes - its passing encrypted traffic see attached. No split tunnel.

Cisco TAC are floundering and can't point me at any documents that tell me how to fix this.

I'm remote from this problem so I have to ask my (very patient) customer to do stuff (e.g captures) on my behalf.

I don't have a W7 machine available at my location to replicate the problem.

Very sceptical that this is the first occurence of this problem and that troubleshooting needs to start from basics.

Rgds.

Barry

praprama · ‎01-25-2011

Hi Barry,

I am assuming that when not connected to VPN you don't any IP address or gateway on the VPN client adapter on the Win7 PC. Can you get the VPN client logs when connecting from the Win7 PC?

Is this the behavior with all Win7 PCs, that is, have you tried with different Win7 machines? Is it possible to get a config from the headend as well?

Cheers,

Prapanch

b_learoyd · ‎01-25-2011

Hi Prapanch

No offence . . . . but you need to read the complete thread before posting re:IP address & gateway

I'm not posting head end config because the config works with XP

There are no W7 specific parameters with ASA 8.3(2)

Multiple W7 machines have been used to test this.

We are looking at extracting level 15 logs from the client end - I will post if they don''t give an obvious answer.

TAC still not able to resolve this.

Rgds

Barry

mstacey_2 · ‎01-19-2012

You are not alone. I have same issue

Windows 7 Pc. Cisco VPN into ASA 8.4 using the same .pcf file as is used on my winxp machine

Winxp connects and I can ping the ASA inside network

Win7 machine connects but you can not get to the ASA inside network?