Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4490
Views
0
Helpful
5
Replies

Cisco ASA 5505 VPN connection issue ("Unable to add route")

brownbag0
Level 1
Level 1

‎02-13-2012 03:54 PM

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.

Setup:

* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)

* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM

NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.

I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.

First I tried with the built-in ASDM IPSec Wizard, instructions found here.

VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).

Client logs show following error messages:

1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F

Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.


2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

Destination     192.168.1.255

Netmask     255.255.255.255

Gateway     172.16.1.1

Interface     172.16.1.101


3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.


4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0


5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0


6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0


7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F

Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.


8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

Destination     192.168.1.255

Netmask     255.255.255.255

Gateway     172.16.1.1

Interface     172.16.1.100


9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.

I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).

A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)

Result of the command: "sh run"


: Saved

:

ASA Version 8.2(5)

!

hostname AsaDWD

enable password kLu0SYBETXUJHVHX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DW-VPDN

ip address pppoe setroute

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group DW-VPDN request dialout pppoe

vpdn group DW-VPDN localname fa******@SKYNET

vpdn group DW-VPDN ppp authentication pap

vpdn username fa******@SKYNET password *****

dhcpd auto_config outside

!

dhcpd address 192.168.2.5-192.168.2.36 inside

dhcpd domain DOMAIN interface inside

dhcpd enable inside

!


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DWD internal

group-policy DWD attributes

vpn-tunnel-protocol IPSec

username test password ******* encrypted privilege 0

username test attributes

vpn-group-policy DWD

tunnel-group DWD type remote-access

tunnel-group DWD general-attributes

address-pool DWD-VPN-Pool

default-group-policy DWD

tunnel-group DWD ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4

: end

I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.

Following commands have been entered:

ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0

username *** password ****


isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp enable outside


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp nat-traversal


sysopt connection permit-ipsec

sysopt connection permit-vpn


group-policy dwdvpn internal

group-policy dwdvpn attributes

vpn-tunnel-protocol IPSec

default-domain value DWD


tunnel-group dwdvpn type ipsec-ra

tunnel-group dwdvpn ipsec-attributes

pre-shared-key ****

tunnel-group dwdvpn general-attributes

authentication-server-group LOCAL

default-group-policy dwdvpn

Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.

I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...

The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.

Does anyone know what's going on?

Labels:
0 Helpful
5 Replies 5

brownbag0
Level 1
Level 1

‎02-23-2012 12:15 PM

Anyone?

I've started from scratch again and am facing the same issue. Very frustrating :/

0 Helpful

rizwanr74
Level 7
Level 7

‎02-23-2012 12:34 PM

Please copy your current config on forum and tell me please what is that you cannot access while being on vpn client.

thanks

0 Helpful

jomar050485
Level 1
Level 1

‎02-23-2012 12:39 PM

Have you tried it from another PC?

0 Helpful

brownbag0
Level 1
Level 1
In response to jomar050485

‎02-24-2012 02:14 AM

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.

Please find my renewed config below:

DWD-ASA(config)# sh run
: Saved
:
ASA Version 8.2(5) 
!
hostname DWD-ASA
enable password ******* encrypted
passwd ****** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group DWD
 ip address pppoe setroute 
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group DWD request dialout pppoe
vpdn group DWD localname *****@SKYNET
vpdn group DWD ppp authentication pap
vpdn username *****@SKYNET password ***** 
dhcpd auto_config outside
!
dhcpd address 192.168.2.10-192.168.2.40 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy dwdipsec internal
group-policy dwdipsec attributes
 vpn-tunnel-protocol IPSec 
 default-domain value DWDDOM
username user1 password ***** encrypted privilege 0
username user1 attributes
 vpn-group-policy dwdipsec
tunnel-group dwdipsec type remote-access
tunnel-group dwdipsec general-attributes
 address-pool vpnpool
 default-group-policy dwdipsec
tunnel-group dwdipsec ipsec-attributes
 pre-shared-key *****
tunnel-group dwdssl type remote-access
tunnel-group dwdssl general-attributes
 address-pool vpnpool
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:f5c8dd644aa2a27374a923671da1c834
: end
DWD-ASA(config)#
0 Helpful

rizwanr74
Level 7
Level 7
In response to brownbag0

‎02-24-2012 06:56 AM

Please change your ACL as shown below...

access-list inside_nat0_outbound extended permit ip 192.168.2.0 mask 255.255.255.0 192.168.50.0 255.255.255.224

Please confirm that your inside hosts have its default gatway assign.

If your inside switch is a Layer3 switch please make sure that you have a static-route in place to push vpn bound traffic to FW's inside address as shown below.

"ip route 192.168.50.0 255.255.255.0 192.168.2.254"

Please include this line as well on your dynamic crypto config.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

To access the internet via VPN client connection to corprate network use the config below.

nat (outside) 1 192.168.50.0 255.255.255.0

Let me know the result

Thanks

Rizwan Rafeek

0 Helpful
Customers Also Viewed These Support Documents