02-24-2011 02:57 AM
We are in the porcess of creating an Easy VPN Server on a 3825 and deploying Cisco VPN Client 5.0.07.0290 32bit on XP machines and 64bit on WIn 7 64bit machines.
Our first install of the client is on a Win 7 64bit machine.
The client connects to the Easy VPN Server without problems, however, after it connects we are unable to access any of the networks at the business site. The client reports the following error in the log:
375 21:37:23.975 02/24/11 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.200.0
Netmask 255.255.255.0
Gateway 192.168.120.1
Interface 192.168.120.232
We spent some time searching discussions and it appears that this problem has been reported before (https://supportforums.cisco.com/message/3037133) but no solution is available (none that we can find).
Here is the routing table on the client before and after the error:
374 21:37:20.933 02/24/11 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.154 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.200.0 255.255.255.0 192.168.200.154 192.168.200.154 281
192.168.200.154 255.255.255.255 192.168.200.154 192.168.200.154 281
192.168.200.255 255.255.255.255 192.168.200.154 192.168.200.154 281
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.200.154 192.168.200.154 281
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 281
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.200.154 192.168.200.154 281
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 281
375 21:37:23.975 02/24/11 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.200.0
Netmask 255.255.255.0
Gateway 192.168.120.1
Interface 192.168.120.232
376 21:37:23.975 02/24/11 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a8c800, Netmask: ffffff00, Interface: c0a878e8, Gateway: c0a87801.
377 21:37:23.975 02/24/11 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
378 21:37:23.975 02/24/11 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.154 25
0.0.0.0 0.0.0.0 192.168.120.1 192.168.120.232 100
58.108.160.188 255.255.255.255 192.168.200.1 192.168.200.154 100
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.120.0 255.255.255.0 192.168.120.232 192.168.120.232 281
192.168.120.232 255.255.255.255 192.168.120.232 192.168.120.232 281
192.168.120.255 255.255.255.255 192.168.120.232 192.168.120.232 281
192.168.200.0 255.255.255.0 192.168.200.154 192.168.200.154 281
192.168.200.1 255.255.255.255 192.168.200.154 192.168.200.154 100
192.168.200.154 255.255.255.255 192.168.200.154 192.168.200.154 281
192.168.200.154 255.255.255.255 192.168.120.1 192.168.120.232 281
192.168.200.255 255.255.255.255 192.168.200.154 192.168.200.154 281
192.168.200.255 255.255.255.255 192.168.120.1 192.168.120.232 281
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.200.154 192.168.200.154 281
224.0.0.0 240.0.0.0 192.168.120.232 192.168.120.232 281
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.200.154 192.168.200.154 281
255.255.255.255 255.255.255.255 192.168.120.232 192.168.120.232 281
379 21:37:23.975 02/24/11 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
We tried and failed:
1. connection with firewall on and off
2. running the client as administartor
Also, if you try and add the route manually it fails with bad metric 0 (at least this is what we think the client is trying to do):
C:\Windows\system32>route add 192.168.200.0 mask 255.255.255.0 192.168.120.1 metric 0 if 192.168.120.232
route: bad metric value 0
C:\Windows\system32>
Can we have an explanation why the client is trying to add the route - why does it need to trunk all local network traffic (192.168.200.0) to the 192.168.120.1 (a gateway on the enterprise network)?
Also, if you have found a solution to this problem, please share it.
We will try a Win XP with 32bit client tomorrow to see if we get the same problem.
Thank you
Emi
02-24-2011 05:28 AM
are you trying to add a route to a network across the VPN? If so that might be the issue. You can configure on your VPN Server split tunneling defining the networks that the VPN clients could connect using the VPN tunnel. Those networks will get inyected to the client after the connection get established.
I hope this helps.
02-24-2011 01:27 PM
Hi Paul,
we are trying to configure VPN access for Cisco VPN Clients to multiple enterprise networks. The client is on my home network 192.168.200.0/24 and connects via standard ADSL2+ modem to an ISP. This is what other employees will have at home, and except for the IP address range, all wil be same.
We want to configure the client to use the tunnel to access multiple enterprise networks which also have address in the 192.168.x.x range. I think the best way to explain our scenario is to post the Easy VPN Configuration. Here it is:
!
crypto isakmp client configuration group Employee
dns 192.168.20.xxx
domain wsn.prolancer.com.au
pool VpnIpPool
acl VpnSplitAcl
firewall are-u-there
split-dns prolancer.com.au
split-dns in.prolancer.com.au
max-logins 1
!
ip local pool VpnIpPool 192.168.120.200 192.168.120.253
!
ip access-list extended VpnSplitAcl
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
<- few more networks here ->
deny ip any any
!
When the client connects, we see Secured Routes to all networks in the VpnSplitAcl. However, these routes do not apper in the Win 7 routing table as you can see from the previous post.
I tried the 32 bit version of the client on a WIn XP machine as well. We get the same problem with it not being able to add a route, except the client is trying to add the route with metric 20 (instead of metric 0 on Win 7) and the error code reported is 87 (instead of 160 on Win 7).
I can provide more information, just do not know what is relevant.
Emil
09-29-2011 02:56 PM
Did you ever get this resolved? Having the same issue now.
10-01-2011 11:45 PM
Hi Joe,
yes it was resolved.
It was basically incorrect split tunnel configuration on the Cisco router. I cannot recall what exactly was wrong, but I remember that my interpretation of the information in the Cisco manuals was incorrect (English being my 2nd language and all). As a result, I had incorrect configuration. A colegue of mine put me on the right track by explaining what the manual says.
So make sure yor ezvpn configuration is correct (split tunneling in particular) and double check it with what the manuals say.
You can safely ignore what is said in this post: https://supportforums.cisco.com/message/3037133, especially the suggestion by David P. at the end of the post.
Emil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: