06-07-2013 07:57 AM
Hi all,
I have the following situation:
ASA 5515X running 8.6
I have multiple inside sub interfaces:
.10 =192.168.10.124
.11 =192.168.11.124
.12 = 192.168.12.1/24
.13 = 192.168.13.1/24
.14 = 192.168.14.1/24
Now I want to set up a IPSec remote access VPN:
I assign the range 192.168.99.5 to 192.168.99.50 for VPN clients.
I configured split tunneling for the following networks: 192.168.10.0, 192.168.11.0 and 192.168.12.0
These are also NAT exempt.
So the config looks good.
The VPN is up.
However, when connecting to the VPN none of these networks are available.
After troubleshooting, I discovered the following:
The IP address recieved on my VPN adapter is 192.168.99.5 (as expected)
However when I do a route print, I see the following:
Destination Netmask Gateway Interface
192.168.10.0 255.255.255.0 192.168.99.1 192.168.99.5
192.168.11.0 255.255.255.0 192.168.99.1 192.168.99.5
192.168.12.0 255.255.255.0 192.168.99.1 192.168.99.5
The gateway in my PC's routing table is pointing to a non existing address, in my opinion it schould be set to the same address as my VPN adapter (192.168.99.5).
I did try this both with annyconnect and the classic VPN client.
Where am I going wrong?
Solved! Go to Solution.
06-08-2013 06:55 AM
No, this ip route pointing to 192.168.99.1 is correct. This is not the cause of the problem.
06-07-2013 11:50 AM
The gateway address you see on the virtual interface (the one created by VPN connection) is not important.
This address sometimes is the same address as your interface, sometimes it's blank. It doesn't matter. This is not the problem. Just ignore it and look somewhere else to keep troubleshooting.
06-08-2013 01:41 AM
The gateway address listed in my post is not the default gateway on my virtual VPN interface on my PC.
My virtual interface default gateway is blank, as expected.
the output I posted is the one comming from the "route print" command on my PC.
So it will send traffic to 192.168.99.1 (non existing IP) for the 3 tunneld networks, I think it should use the IP of my virtual VPN interface?
06-08-2013 06:55 AM
No, this ip route pointing to 192.168.99.1 is correct. This is not the cause of the problem.
06-11-2013 02:26 AM
Indeed, the problem was not on the ASA but on the underlying equipment.
It is also true thet the next hop for the tunneled networks varies, somtimes it is the same, sometimes its something random.
Annyway, issue resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide