Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4940
Views
0
Helpful
17
Replies

ASA with VPN - problems

blakemunro
Level 1
Level 1

‎08-30-2011 03:13 AM

Hi,

I used the VPN wizard to create a site-site VPN connection today. The plan is to have an Endian Firewall device at the new branch office and connect it back via IPSec to the ASA at head office.


After I did that, I may have played around with some of the settings for the normal remote access VPN - as in the one end users can use with the VPN client software. Whenever they connect now, they aren't getting assigned a default gateway.

I manually connected using the client on a Win7 machine and then even tried going into the Cisco network adapter after I was connected and adding in our default gateway (the IP of the ASA) but it seems the route is not there either.

I've spent about 4 hours on this today and it's doing my head in. I'm not particularly good with Cisco stuff, but I know enough to break things and sometimes if I'm lucky fix them. Today I haven't been so lucky...

I've attached a 'show run' - can anyone have a look at this and let me know if you can see any obvious problems?

Further info:

Main office LAN:    192.168.1.0/24

New branch office:   192.168.5.0/24

WiFi VLAN:             192.168.8.0/24

DMZ:                    192.168.10.0/24

IP of ASA:     192.168.1.1 / 255.255.255.0

IP block reserved for VPN clients:     192.168.1.200/255.255.255.248

The client is getting assigned everything (IP, DNS, Subnet mask etc) just not the default gateway.

I really need to get this fixed tomorrow as I'm travelling to the other side of the country this weekend to set up the branch office, and this is the last thing I need with people complaining they can't VPN in from home!

Thanks in advance if anyone can help.

Labels:
112833-asa config.txt.zip
0 Helpful
17 Replies 17

andrew.prince
Level 10
Level 10

‎08-30-2011 03:40 AM

It is normal for the virtual Cisco NIC not to recevie a default gateway.  If the virtual NIC had a default gateway, then the normal pyhsical NIC would not work, and no network connectivity could be attained.

The traffic is controled by the routing, when connected if you perform a "route print" from a windows machine, you will see the specific remote networks will use the virtual VPN adapter address as a next hop, this is correct.  The cisco client then knows what to encrypt and what not to.

HTH>

0 Helpful

blakemunro
Level 1
Level 1
In response to andrew.prince

‎08-30-2011 04:57 AM

Thanks Andrew, that makes sense - but I still have no idea why the ASA is not assigning a default gateway to the clients. I've somehow messed up the routing and it's not happy.

0 Helpful

andrew.prince
Level 10
Level 10
In response to blakemunro

‎08-30-2011 05:27 AM

The ASA will NOT assign a default gateway - as explained.  When you configured the VPN you define the IP Subnets that you want to be availble via the VPN.  This is then pushed to the client.

0 Helpful

blakemunro
Level 1
Level 1
In response to andrew.prince

‎08-30-2011 05:29 AM

For the last 3 years it has assigned a default gateway (itself) and something I changed in the config today has stopped that.

Unofrtunately there's no documentation on how it was set up in the first place, so looking at my show run are you able to see any major problems?

Cheers,

Blake

0 Helpful

ajay chauhan
Level 7
Level 7
In response to blakemunro

‎08-30-2011 05:52 AM

Hi,

Do you have split-tunnel enabled ? If yes you will not get default gateway.

Ty

0 Helpful

blakemunro
Level 1
Level 1
In response to ajay chauhan

‎08-30-2011 06:17 AM

Yes, we have a split tunnel and it's always the way it has been.

If you are suggesting I won't get a GW with this setup, can you please advise how?

Thanks

0 Helpful

ajay chauhan
Level 7
Level 7
In response to blakemunro

‎08-30-2011 06:45 AM

Since you are already connected to VPN tunnel its considered you are on FW itself then by logic you dont need any other  gateway to get the FW.

For rest of the network you will see the default gateway which will be configured on your physical NIC.

Ty

0 Helpful

blakemunro
Level 1
Level 1
In response to ajay chauhan

‎08-30-2011 05:05 PM

Okay thanks - makes sense. There must be something wrong with routing then. When connected to the ASA via VPN, I get assigned an IP from the pool and DNS servers but no gateway, as mentioned above.

How can I check to make sure the correct routes are in place? We are using split tunnel and it has been working fine for the last 3 years. Something is broken now but I don't know what.

Thanks

0 Helpful

MCCC.Administrator
Level 1
Level 1
In response to blakemunro

‎08-30-2011 06:16 PM

Reading all the posts,I am left confused as to what you are trying to solve.

Exactly what is the issue the vpn-client users are having?

Can't connect to the devices on the asa-side?

Can't connect to the www or local lan devices (like home printers, web pages, etc)?

Don't get hung up on the gateway missing.

It looks wrong but is correct.

0 Helpful

blakemunro
Level 1
Level 1
In response to MCCC.Administrator

‎08-30-2011 06:28 PM

Hi,

The VPN client users are unable to access anything on the ASA side - which is the LAN in our office.

With split tunnelling enabled they are able to access the internet via their own local internet connection, but any attempts at pinging anything on the ASA side (including the ASA itself) are failing.

DNS lookups fail. If I look in ASDM under VPN sessions, it shows for example:

username: john.smith

Assigned IP address: 192.168.1.204

Public Peer IP address: xxx.xxx.xxx.xxx

IPSecOverNatT - AES 128

Login time / duration etc

Bytes TX - 0

Bytes RX - 144096

The bytes TX is what the issue is, there's no traffic flow back to client from ASA.

Hope that helps

Regards,

Blake

0 Helpful

MCCC.Administrator
Level 1
Level 1
In response to blakemunro

‎08-30-2011 06:31 PM

Very nice description of the problem.

I'll keep looking at the config.

Q:  Are you pinging names or ip's?

Have you tried both to see if it is dns that is failing or if it is ip's too?

0 Helpful

blakemunro
Level 1
Level 1
In response to MCCC.Administrator

‎08-30-2011 06:34 PM

Hi,

Thanks for your assistance. Yes, I am trying both. The inside IP of the ASA is 192.168.1.1 and from a VPN client I can't even ping that IP.

I've tried pinging both hostnames and IPs, including our domain controllers which provide DNS etc - no traffic flow at all.


Regards,

Blake

0 Helpful

MCCC.Administrator
Level 1
Level 1
In response to blakemunro

‎08-30-2011 06:40 PM

Are your clients XP or Win7?

Which vpn profile are they using or is it all of them that have this problem?

0 Helpful

blakemunro
Level 1
Level 1
In response to MCCC.Administrator

‎08-30-2011 06:43 PM

We have a mixture of XP and Win7. It doesn't work on either platform.

Clients are using 'vpn1' profile (I renamed it for security reasons). The 'vpn2' that you may see in the config is a result of me running the VPN wizard and setting up an entirely seperate profile to try and get this working... neither of the profiles work.

It's possible that I modified something in the default group policy which may have caused this to break. If that's the case, I don't know what it is that I may have changed

If you want any screenshots from ASDM or anything like that please let me know, I'm happy to provide.

Regards,

Blake

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents