05-24-2012 10:08 AM
Having an issue with the ipsec client being unable to add routes in Windows 7 while connecting to an asa 5510 running 8.3(2). Client connects, but the split-tunnel routes do not get installed on the OS. Vpn client versions used are 5.0.07.0290 and 5.0.07.0440 x64. The client status window shows that it received the split tunnel networks, but the log shows that the routes do not get installed with the following message:
Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 100: code 87
Destiantion 192.168.100.0
Netmask 255.255.252.0
Gateway 0.30.1.1
Interface 10.30.1.201
Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 100: code 87
Destiantion 10.30.0.0
Netmask 255.255.0.0
Gateway 0.30.1.1
Interface 10.30.1.201
If I manually add the routes on the Windows box, I have connectivity through to the split tunnel networks.
This is the config on the ASA:
: Saved
:
ASA Version 8.3(2)
!
hostname XXXXXX
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXXXXXXXXXXX 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.30.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif dmz
security-level 50
ip address 10.31.1.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network User_Segment_30.1
subnet 10.30.1.0 255.255.255.0
[...]
object network User_Segment_31.1
object network Inside_Networks
subnet 10.30.0.0 255.255.0.0
object network Remote_Network
subnet 192.168.100.0 255.255.252.0
object network User_VPN_IP_Range
subnet 10.30.1.192 255.255.255.224
access-list From_Outside extended permit icmp any any
access-list Remote_VPN extended permit ip 10.30.0.0 255.255.0.0 192.168.100.0 255.255.252.0
access-list User_Remote_Access_VPN_Split_Tunnel standard permit 10.30.0.0 255.255.0.0
access-list User_Remote_Access_VPN_Split_Tunnel standard permit 192.168.100.0 255.255.252.0
pager lines 24
logging enable
logging buffer-size 65536
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool Remote_Access_VPN_Pool 10.30.1.200-10.30.1.220 mask 225.255.225.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
asdm image disk0:/asdm
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside_Networks Inside_Networks destination static Remote_Network Remote_Network unidirectional
nat (inside,outside) source static Inside_Networks Inside_Networks destination static User_VPN_IP_Range User_VPN_IP_Range
nat (outside,outside) source static User_VPN_IP_Range User_VPN_IP_Range destination static Remote_Network Remote_Network
!
object network User_Segment_30.1
nat (inside,outside) dynamic interface
object network DMZ_Segment_31.1
nat (dmz,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx
route inside 172.20.61.0 255.255.255.0 10.30.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NT_DCs protocol nt
aaa-server NT_DCs (inside) host 10.30.1.210
nt-auth-domain-controller adc01
[...]
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA
crypto map RemoteMap 10 match address Remote_VPN
crypto map RemoteMap 10 set pfs
crypto map RemoteMap 10 set peer xxxxxxxxxxxx
crypto map RemoteMap 10 set transform-set ESP-AES256-SHA ESP-AES-256-SHA
crypto map RemoteMap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map RemoteMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy User_Remote_Access_VPN internal
group-policy User_Remote_Access_VPN attributes
wins-server value 10.30.1.210
dns-server value 10.30.1.210
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value User_Remote_Access_VPN_Split_Tunnel
default-domain value XXX.XXX
[usernames deleted]
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group User_Remote_Access_VPN type remote-access
tunnel-group User_Remote_Access_VPN general-attributes
address-pool Remote_Access_VPN_Pool
authentication-server-group (inside) NT_DCs LOCAL
default-group-policy User_Remote_Access_VPN
tunnel-group User_Remote_Access_VPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4d556af5019dc9db3d234e0a19e77ce
: end
05-25-2012 08:40 PM
Hi Mitch,
Please try this...
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
Please let me know, if this helps.
thanks
05-29-2012 12:30 PM
Already tried it, and nothing changed. The client actually does get the routes from the ASA, but fails to install them on the underlying OS, at least in Windows 7
05-25-2012 10:01 PM
Have you tried connecting from multiple workstations? Seems like it may be an issue with that particular workstation
05-29-2012 12:32 PM
It works running the client on an XP box. Windows 7 connects, but the OS doesn't get any routes. Escalating the run priveleges of the Win 7 client (run as adminstrator) doesn't seem ot make a difference.
10-12-2012 05:29 AM
Hey Folks,
I am also facing similar issue. do we have any fix to this as of now?
Appreciate your prompt response.
Thanks
Saurabh
10-12-2012 05:57 AM
Hi,
To clarify a couple of things:
1- "reverse-route" does not have anything to do with this issue, the problem relies on the Windows 7 machine.
2- Do you connect with an Admin account (Windows admin)?
3- Do you run the VPN client as an administrator?
4- Have you tried to disable any AV or software protection on the machine (just for testing).?
Let me know.
Portu.
Please rate any helpul posts
Message was edited by: Javier Portuguez
10-12-2012 07:28 AM
It's something local to your workstation.
I use Windows 7 as my office workstation and have tested hundreds of client VPN configurations without issue. There are also probably 50+ other technicians in my office who run Windows 7, do the same type of work, and do not experience issues with route injection.
10-12-2012 10:21 AM
Hi there,
I totally agree with Patrick (5 stars).
Please check my previous post and let us know.
Portu.
Please rate any helpful posts.
10-12-2012 12:17 PM
A basic question: have you tried disabling windows FW and any AV if installed on that windows box?
You might have tried it already but just checking
Also instead of using cisco vpn client try using shrew soft as the vpn client and see if you get different results
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide