Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
1
Replies

mysterious unwanted route added by VPN software client

DANIEL WANG
Level 1
Level 1

‎07-26-2007 10:55 AM - edited ‎02-21-2020 03:10 PM

We have an Internet-facing VPN concentrator 3005 outside our ASA firewall and vpn software client installed on laptops in a Windows 2000 domain with Active Directory. No split-tunneling is allowed.

I once installed the VPN client on a new laptop in the corportate network, and to test it, I connected the laptop to VPN concentrator. When I tried to ping our primary DC, I got timeouts. But I could ping other DCs and any other corporate devices.

Upon examing the "route print" output, I found that the VPN client added a few routes, including a route for the primary DC out the LAN interface to the LAN default gateway. No wonder I couldn't ping it -- the ICMP packes got dropped because they were directed to the local LAN. I could manually remove the route and connections to the PDC would be fine.

What bothers me is that I can't find a place in the concentrator config or VPN client to remove the unwanted route. It is not in the static routes on the concentrator. I even searched the concentrator's CONFIG file but only found one instance of PDC IP address, which is the DNS server address. I also tried no firewall for this VPN group.

Can someone offer me a clue?

Appreciate it much!

daniel

Labels:
0 Helpful
1 Reply 1

amritpatek
Level 6
Level 6

‎08-01-2007 10:37 AM

I think that the client will get a route for the subnet that it recieves an address in and that if the ASA is not setup to hand down a specific subnet, the client just uses a classful subnet. You can apply a specific mask to the client pool on the ASA. The commands you may need to enter are as follows:

clear crypto isakmp sa

clear crypto ipsec sa

then you want to remove the address pool from the VPN Group

no vpngroup address pool

then you can remove the old pool

no ip local pool

then add the new pool

ip local pool mask

then apply the new pool to the vpngroup

vpngroup address pool

Keep in mind that if the same old pool is applied to more than one VPN group then you need to remove the old pool from all groups where it is applied, prior to removing the pool.

0 Helpful
Customers Also Viewed These Support Documents