VPN Client can not add route on Win 7

prolancer · ‎02-24-2011

We are in the porcess of creating an Easy VPN Server on a 3825 and deploying Cisco VPN Client 5.0.07.0290 32bit on XP machines and 64bit on WIn 7 64bit machines.

Our first install of the client is on a Win 7 64bit machine.

The client connects to the Easy VPN Server without problems, however, after it connects we are unable to access any of the networks at the business site. The client reports the following error in the log:

375 21:37:23.975 02/24/11 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.200.0
Netmask 255.255.255.0
Gateway 192.168.120.1
Interface 192.168.120.232

We spent some time searching discussions and it appears that this problem has been reported before (https://supportforums.cisco.com/message/3037133) but no solution is available (none that we can find).

Here is the routing table on the client before and after the error:

374    21:37:20.933 02/24/11 Sev=Info/5 CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     192.168.200.1   192.168.200.154       25
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
192.168.200.0     255.255.255.0   192.168.200.154   192.168.200.154      281
192.168.200.154   255.255.255.255   192.168.200.154   192.168.200.154      281
192.168.200.255   255.255.255.255   192.168.200.154   192.168.200.154      281
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0   192.168.200.154   192.168.200.154      281
      224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      281
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255   192.168.200.154   192.168.200.154      281
255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      281

375 21:37:23.975 02/24/11 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.200.0
Netmask 255.255.255.0
Gateway 192.168.120.1
Interface 192.168.120.232

376 21:37:23.975 02/24/11 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a8c800, Netmask: ffffff00, Interface: c0a878e8, Gateway: c0a87801.

377 21:37:23.975 02/24/11 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.

378    21:37:23.975 02/24/11 Sev=Info/5 CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     192.168.200.1   192.168.200.154       25
        0.0.0.0           0.0.0.0     192.168.120.1   192.168.120.232      100
58.108.160.188   255.255.255.255     192.168.200.1   192.168.200.154      100
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
192.168.120.0     255.255.255.0   192.168.120.232   192.168.120.232      281
192.168.120.232   255.255.255.255   192.168.120.232   192.168.120.232      281
192.168.120.255   255.255.255.255   192.168.120.232   192.168.120.232      281
192.168.200.0     255.255.255.0   192.168.200.154   192.168.200.154      281
192.168.200.1   255.255.255.255   192.168.200.154   192.168.200.154      100
192.168.200.154   255.255.255.255   192.168.200.154   192.168.200.154      281
192.168.200.154   255.255.255.255     192.168.120.1   192.168.120.232      281
192.168.200.255   255.255.255.255   192.168.200.154   192.168.200.154      281
192.168.200.255   255.255.255.255     192.168.120.1   192.168.120.232      281
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0   192.168.200.154   192.168.200.154      281
      224.0.0.0         240.0.0.0   192.168.120.232   192.168.120.232      281
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255   192.168.200.154   192.168.200.154      281
255.255.255.255   255.255.255.255   192.168.120.232   192.168.120.232      281

379 21:37:23.975 02/24/11 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter

We tried and failed:

1. connection with firewall on and off

2. running the client as administartor

Also, if you try and add the route manually it fails with bad metric 0 (at least this is what we think the client is trying to do):

C:\Windows\system32>route add 192.168.200.0 mask 255.255.255.0 192.168.120.1 metric 0 if 192.168.120.232
route: bad metric value 0

C:\Windows\system32>

Can we have an explanation why the client is trying to add the route - why does it need to trunk all local network traffic (192.168.200.0) to the 192.168.120.1 (a gateway on the enterprise network)?

Also, if you have found a solution to this problem, please share it.

We will try a Win XP with 32bit client tomorrow to see if we get the same problem.

Thank you

Emi

PAUL GILBERT ARIAS · ‎02-24-2011

are you trying to add a route to a network across the VPN? If so that might be the issue. You can configure on your VPN Server split tunneling defining the networks that the VPN clients could connect using the VPN tunnel. Those networks will get inyected to the client after the connection get established.

I hope this helps.

prolancer · ‎02-24-2011

Hi Paul,

we are trying to configure VPN access for Cisco VPN Clients to multiple enterprise networks. The client is on my home network 192.168.200.0/24 and connects via standard ADSL2+ modem to an ISP. This is what other employees will have at home, and except for the IP address range, all wil be same.

We want to configure the client to use the tunnel to access multiple enterprise networks which also have address in the 192.168.x.x range. I think the best way to explain our scenario is to post the Easy VPN Configuration. Here it is:

!
crypto isakmp client configuration group Employee
dns 192.168.20.xxx
domain wsn.prolancer.com.au
pool VpnIpPool
acl VpnSplitAcl
firewall are-u-there
split-dns prolancer.com.au
split-dns in.prolancer.com.au
max-logins 1
!

ip local pool VpnIpPool 192.168.120.200 192.168.120.253

!
ip access-list extended VpnSplitAcl
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any

<- few more networks here ->
deny ip any any
!

When the client connects, we see Secured Routes to all networks in the VpnSplitAcl. However, these routes do not apper in the Win 7 routing table as you can see from the previous post.

I tried the 32 bit version of the client on a WIn XP machine as well. We get the same problem with it not being able to add a route, except the client is trying to add the route with metric 20 (instead of metric 0 on Win 7) and the error code reported is 87 (instead of 160 on Win 7).

I can provide more information, just do not know what is relevant.

Emil

tuffsubject · ‎09-29-2011

Did you ever get this resolved? Having the same issue now.

prolancer · ‎10-01-2011

Hi Joe,

yes it was resolved.

It was basically incorrect split tunnel configuration on the Cisco router. I cannot recall what exactly was wrong, but I remember that my interpretation of the information in the Cisco manuals was incorrect (English being my 2nd language and all). As a result, I had incorrect configuration. A colegue of mine put me on the right track by explaining what the manual says.

So make sure yor ezvpn configuration is correct (split tunneling in particular) and double check it with what the manuals say.

You can safely ignore what is said in this post: https://supportforums.cisco.com/message/3037133, especially the suggestion by David P. at the end of the post.

Emil