09-16-2014 04:14 AM - edited 02-21-2020 07:49 PM
Hello,
I have a problem with Remote Access VPN, client says, that he can connect to VPN, but can not connect via ssh to my network address. I try to connect the same client VPN via my Android phone, connection was successful, and i successfully can connect to my network address. There can be a problem?
I use Cisco ASA 5555 client use Cisco Systems VPN Client, we try to use other client, but result is the same.
Also client send my VPN log and find this error:
AddRoute failed to add a route with metric of 0: code 160
Is problem in the client computer or network, or problem can be in my ASA configuration?
Solved! Go to Solution.
09-16-2014 05:21 AM
I told the customer to reinstall the program. We also try from computer, from the outside connect to these address, VPN tunnel is created successfully, but we can not connect to inside IP addresses, connection only works with Android device.
09-16-2014 04:33 AM
I think the problem is with the client. I suggest:
1. Uninstall the Cisco Remote Access VPN client
2. Reboot the PC
3. Install the Cisco Remote Access VPN client
4. Reboot the PC
5. Test the VPN connection
--
Please remember to select a correct answer and rate helpful posts
09-16-2014 05:21 AM
I told the customer to reinstall the program. We also try from computer, from the outside connect to these address, VPN tunnel is created successfully, but we can not connect to inside IP addresses, connection only works with Android device.
09-17-2014 10:26 PM
Have you tested it with any other PC?
Once the vpn is connected, you could run wireshark on the vpn adapter and the local adapter to see what path the packet is taking. By that you will be able to determine if the packets are getting encrypted or not.
If the packet is taking the Local circuit instead of the VPN adapter then try reinstalling the client as suggested by Marius.
If the packets are going through the VPN interface then do packet captures on the inside of the ASA to see if the packets are being sent out.
Also try doing asp drop capture that will show you if the ASA is dropping the packets in flow.
#capture asp type asp-drop all
#show cap asp | in <client IP>
You could also check the decrypt counts to see if the tunnel is decrypting any packets.
#sho crypto ipse sa peer <client's public ip>
If the decaps are 0 then try to do esp capture on the outside of the ASA to see if you receive any esp packets or port 4500 packets on the outside from this client PC.
#capture capout interface outside match ip host <ASA's WAN IP> host <client's public IP>
#show cap capout
Please remember to select a correct answer and rate helpful posts
09-16-2014 04:36 AM
After getting Connected, what type traffic are you trying to send over the tunnel to your internal IP? What device is this IP on?
Check the Route Details on the client under Statistics after connecting and check if all the subnets on the split acl are getting populated there.
09-16-2014 05:21 AM
The client try to connect to the server via ssh port 22.
Then the client connect in the routes is aded this information:
172.17.134.2 255.255.255.255 On-link 192.168.201.212 31 server ip address
172.17.134.15 255.255.255.255 On-link 192.168.201.212 31 server ip address
192.168.201.212 255.255.255.255 On-link 192.168.201.212 286 client local IP adrress in my network
213.X.X.X 255.255.255.255 10.10.64.201 10.10.64.71 11 VPN address
In my network default gateway is 192.168.200.253 but in some reasons I thin that VPN take default gateway 192.168.201.212
09-16-2014 11:16 AM
Are you tunneling all traffic or do you have split tunneling configured?
--
Please remember to select a correct answer and rate helpful posts
09-17-2014 12:30 AM
I have configured split tunneling to these IP address 172.17.134.2 and 172.17.134.15.
09-17-2014 12:41 AM
You say the connection was successful from PC and Android phone, What device is the client using?
--
Please remember to select a correct answer and rate helpful posts
09-17-2014 06:16 AM
No. connection was successful only from Andoid phone, client is using PC.
I suspect that something is wrong with the customer's computer or his network ...
09-17-2014 06:20 AM
Was the Android phone connected to the client's Wireless or was it connected via the phone providers internet service? could very well be that the client network is blocking port 500 and 4500.
can your client test with a laptop from within the network and outside the network (from his/her home for example)? if the client fails to connect while inside the network but is able to connect from home, it is definately the client network.
--
Please remember to select a correct answer and rate helpful posts
09-18-2014 12:59 AM
Now we really know, that the problem is in the client side, because we try to connect from the home, VPN connection and ssh connection was successful.
Client say, that he trying to connect from the different computers, but result is the same, vpn connection is successful, but ssh not connected.
What other problems apart ports blocking can be?
09-18-2014 01:10 AM
Do they do any kind of deep packet inspection at your client's network?
Normally if you establish a VPN from within a network it will pass through all network devices encrypted and the payload should not be touched.
Are you sure that the client is getting an IP address through the VPN when he/she is located within the network? That would be worth checking out, as I have seen in some very rare cases that the VPN seems to connect but the client is not issued an IP.
--
Please remember to select a correct answer and rate helpful posts
09-19-2014 12:34 AM
We solved the problem, from the home we connected with laptop, with windows xp, and client using windows 7, this is windows 7 problem, some updates is blocking connection.
Thank you for the help and discussion :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide