I have the following situation:
ASA 5515X running 8.6
I have multiple inside sub interfaces:
.12 = 192.168.12.1/24
.13 = 192.168.13.1/24
.14 = 192.168.14.1/24
Now I want to set up a IPSec remote access VPN:
I assign the range 192.168.99.5 to 192.168.99.50 for VPN clients.
I configured split tunneling for the following networks: 192.168.10.0, 192.168.11.0 and 192.168.12.0
These are also NAT exempt.
So the config looks good.
The VPN is up.
However, when connecting to the VPN none of these networks are available.
After troubleshooting, I discovered the following:
The IP address recieved on my VPN adapter is 192.168.99.5 (as expected)
However when I do a route print, I see the following:
Destination Netmask Gateway Interface
192.168.10.0 255.255.255.0 192.168.99.1 192.168.99.5
192.168.11.0 255.255.255.0 192.168.99.1 192.168.99.5
192.168.12.0 255.255.255.0 192.168.99.1 192.168.99.5
The gateway in my PC's routing table is pointing to a non existing address, in my opinion it schould be set to the same address as my VPN adapter (192.168.99.5).
I did try this both with annyconnect and the classic VPN client.
Where am I going wrong?
Solved! Go to Solution.
The gateway address you see on the virtual interface (the one created by VPN connection) is not important.
This address sometimes is the same address as your interface, sometimes it's blank. It doesn't matter. This is not the problem. Just ignore it and look somewhere else to keep troubleshooting.
The gateway address listed in my post is not the default gateway on my virtual VPN interface on my PC.
My virtual interface default gateway is blank, as expected.
the output I posted is the one comming from the "route print" command on my PC.
So it will send traffic to 192.168.99.1 (non existing IP) for the 3 tunneld networks, I think it should use the IP of my virtual VPN interface?
Indeed, the problem was not on the ASA but on the underlying equipment.
It is also true thet the next hop for the tunneled networks varies, somtimes it is the same, sometimes its something random.
Annyway, issue resolved.