Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2851
Views
0
Helpful
10
Replies

Double Colon Default Gateway

adam.fenner
Level 1
Level 1

‎03-29-2017 05:52 AM

Setting up a Cisco ASA 5505 for a remote access VPN. I can connect to the device remotely and I get an IP address and subnet from the ASA but the default gateway always ends up displaying ":: (enter) 100.100.100.1"  The 100.100.100.1 address is the correct default gateway but the double colon won't let me talk to anything on the network. 

Below is the config of the ASA and I've also attached a screenshot of the command prompt "ipconfig" and "route print"

I have tried factory defaulting the ASA through ASDM and deleting all of the hidden directory files left on my computer but when I configure the ASA, I end up with the same double colon default gateway problem. 

I had previously started a conversation about this but it was closed before the issue was resolved. I'm not eliminating the fact that it might be an issue with my computer but I'm thinking that isn't the case because this ASA has had the same issue with other computers, so that's why I think it is something to do with the configuration. 

Help would be greatly appreciated! I've been fighting this thing off and on for a couple of months now. 

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool InsidePool 100.100.100.240-100.100.100.245 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5

!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 100.100.100.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 8.8.8.5 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network InsideGateway
host 100.100.100.1
pager lines 24
logging asdm informational
mtu outside 1500

mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 100.100.100.0 255.255.255.0 inside
no snmp-server location

no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2
56 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=100.100.100.252,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=ciscoasa
keypair ASDM_LAUNCHER

crl configure
crypto ca trustpool policy

**Crypto information**

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha

group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5

ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect profiles Remote_client_profile disk0:/Remote_cli
ent_profile.xml
anyconnect enable
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 Remote
group-policy GroupPolicy_Remote internal

group-policy GroupPolicy_Remote attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
webvpn
anyconnect profiles value Remote_client_profile type user
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool InsidePool
default-group-policy GroupPolicy_Remote
tunnel-group Remote webvpn-attributes
group-alias Remote enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters

message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global

prompt hostname context
call-home reporting anonymous
Cryptochecksum:ff561808de5a003e9e4b10c16bdc0421
: end

Labels:
Preview file
196 KB
Preview file
148 KB
0 Helpful
10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-29-2017 08:33 AM

If you aren't using IPv6 on your adapter, please try disabling it. It is showing it's not picking up a default gateway on the IPv6 stack, thus the null ("::") entry as the IPv6 default gateway.

Also, that's quite an old AnyConnect image you have on the ASA. Are you running that release on the PC as well?

What is your OS - Windows 10 is not supported on that AnyConnect release.

0 Helpful

adam.fenner
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2017 08:42 AM

I'm using Windows 7 and yeah that is the version of anyconnect that i'm currently using on the PC.

Disable the IPv6 adapter on my pc?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adam.fenner

‎03-29-2017 08:51 AM

Yes - disable IPv6 protocol on the "Ethernet Adapter Local Area connection 3" adapter. 

There is a bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCte86255

Which states:

Symptom:
The presence of IPv6 adapters with no default gateways may cause TND to incorrectly determine the network type.

Workaround:
Disable such adapters.
0 Helpful

adam.fenner
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2017 08:57 AM

After I am connected to the VPN and i'm given an IP address the "ethernet Adapter local area connection 3" does not show up in my network connections. Is there a way to disable the IPv6 protocol via command prompt or how would i do that if it doesn't show up?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adam.fenner

‎03-29-2017 09:09 AM

There is an obscure command line way using netsh but I always use the GUI for that.

Just open the network adapter properties when it is active and disable it. You can see the setting in the screenshot from my computer below:

0 Helpful

adam.fenner
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2017 01:56 PM

So i got that to work  but do you know of a way to fix this in the config of the ASA? I'm just looking ahead to implementation on my users' PCs and don't want them to have to disable IPv6. Is there a way to disable this in the ASA config via ASDM?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to adam.fenner

‎03-29-2017 08:41 PM

I'm not positive but suspect you may have selected an unnecessary option when creating the VPN profile.

I noticed you have "Remote_client_profile.xml" indicating you have created a profile for the clients on your ASA. That profile gets pushed and governs the behavior of the client software.

When you create the profile in the profile editor, there is an option on the first preferences page regarding IP Protocol Supported. Please check to see if yours says IPv4 and IPv6 both. If it does, change it to IPv4 only.

0 Helpful

adam.fenner
Level 1
Level 1
In response to Marvin Rhoads

‎03-30-2017 02:25 PM

I just checked and it's currently already on just IPv4 only

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to adam.fenner

‎03-30-2017 06:55 PM

Hi,

Try with the following command into the group policy:

group-policy GroupPolicy_Remote attributes

client-bypass-protocol disable

This is an explanation of the command:

Configuring IPv4 or IPv6 Traffic to Bypass the VPN

The Client Bypass Protocol feature allows you to configure how the AnyConnect client manages IPv4 traffic when the ASA is expecting only IPv6 traffic or how AnyConnect manages IPv6 traffic when the ASA is only expecting IPv4 traffic.

When the AnyConnect client makes a VPN connection to the ASA, the ASA could assign the client an IPv4, IPv6, or both an IPv4 and IPv6 address.

If Client Bypass Protocol is enabled for one IP protocol and an address pool is not configured for that protocol (in other words, no IP address for that protocol was pushed to client from the ASA) any IP traffic using that protocol will not be sent through the VPN tunnel, it will be sent from the AnyConnect client in the clear.

On the other hand, if Client Bypass Protocol is disabled, and an address pool is not configured for that protocol, the client will drop all traffic for that IP protocol once the VPN tunnel is established.

For example, assume that the ASA assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped and if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear.

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

adam.fenner
Level 1
Level 1
In response to JP Miranda Z

‎03-31-2017 04:45 AM

Via the ASDM, I went to the group policies and entered the settings for the one I'm using and disabled the Client Bypass Protocol. It still gives me the :: before the Default Gateway.

The only way that i can get it to work is to disable the IPv6 in the network connection settings. 

Preview file
49 KB
0 Helpful
Customers Also Viewed These Support Documents