VPN Client Unable to Add Routes in Windows 7

mitchtoddisin · ‎05-24-2012

Having an issue with the ipsec client being unable to add routes in Windows 7 while connecting to an asa 5510 running 8.3(2). Client connects, but the split-tunnel routes do not get installed on the OS. Vpn client versions used are 5.0.07.0290 and 5.0.07.0440 x64. The client status window shows that it received the split tunnel networks, but the log shows that the routes do not get installed with the following message:

Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route with metric of 100: code 87

Destiantion 192.168.100.0

Netmask 255.255.252.0

Gateway 0.30.1.1

Interface 10.30.1.201

Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route with metric of 100: code 87

Destiantion 10.30.0.0

Netmask 255.255.0.0

Gateway 0.30.1.1

Interface 10.30.1.201

If I manually add the routes on the Windows box, I have connectivity through to the split tunnel networks.

This is the config on the ASA:

: Saved

:

ASA Version 8.3(2)

!

hostname XXXXXX

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address XXXXXXXXXXXX 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.30.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif dmz

security-level 50

ip address 10.31.1.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network User_Segment_30.1

subnet 10.30.1.0 255.255.255.0

[...]

object network User_Segment_31.1

object network Inside_Networks

subnet 10.30.0.0 255.255.0.0

object network Remote_Network

subnet 192.168.100.0 255.255.252.0

object network User_VPN_IP_Range

subnet 10.30.1.192 255.255.255.224

access-list From_Outside extended permit icmp any any

access-list Remote_VPN extended permit ip 10.30.0.0 255.255.0.0 192.168.100.0 255.255.252.0

access-list User_Remote_Access_VPN_Split_Tunnel standard permit 10.30.0.0 255.255.0.0

access-list User_Remote_Access_VPN_Split_Tunnel standard permit 192.168.100.0 255.255.252.0

pager lines 24

logging enable

logging buffer-size 65536

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool Remote_Access_VPN_Pool 10.30.1.200-10.30.1.220 mask 225.255.225.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm

no asdm history enable

arp timeout 14400

nat (inside,outside) source static Inside_Networks Inside_Networks destination static Remote_Network Remote_Network unidirectional

nat (inside,outside) source static Inside_Networks Inside_Networks destination static User_VPN_IP_Range User_VPN_IP_Range

nat (outside,outside) source static User_VPN_IP_Range User_VPN_IP_Range destination static Remote_Network Remote_Network

!

object network User_Segment_30.1

nat (inside,outside) dynamic interface

object network DMZ_Segment_31.1

nat (dmz,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxxx

route inside 172.20.61.0 255.255.255.0 10.30.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server NT_DCs protocol nt

aaa-server NT_DCs (inside) host 10.30.1.210

nt-auth-domain-controller adc01

[...]

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA

crypto map RemoteMap 10 match address Remote_VPN

crypto map RemoteMap 10 set pfs

crypto map RemoteMap 10 set peer xxxxxxxxxxxx

crypto map RemoteMap 10 set transform-set ESP-AES256-SHA ESP-AES-256-SHA

crypto map RemoteMap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map RemoteMap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy User_Remote_Access_VPN internal

group-policy User_Remote_Access_VPN attributes

wins-server value 10.30.1.210

dns-server value 10.30.1.210

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value User_Remote_Access_VPN_Split_Tunnel

default-domain value XXX.XXX

[usernames deleted]

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

tunnel-group User_Remote_Access_VPN type remote-access

tunnel-group User_Remote_Access_VPN general-attributes

address-pool Remote_Access_VPN_Pool

authentication-server-group (inside) NT_DCs LOCAL

default-group-policy User_Remote_Access_VPN

tunnel-group User_Remote_Access_VPN ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e4d556af5019dc9db3d234e0a19e77ce

: end

rizwanr74 · ‎05-25-2012

Hi Mitch,

Please try this...

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

Please let me know, if this helps.

thanks

mitchtoddisin · ‎05-29-2012

Already tried it, and nothing changed. The client actually does get the routes from the ASA, but fails to install them on the underlying OS, at least in Windows 7

Patrick0711 · ‎05-25-2012

Have you tried connecting from multiple workstations? Seems like it may be an issue with that particular workstation

mitchtoddisin · ‎05-29-2012

It works running the client on an XP box. Windows 7 connects, but the OS doesn't get any routes. Escalating the run priveleges of the Win 7 client (run as adminstrator) doesn't seem ot make a difference.

saurjosh · ‎10-12-2012

Hey Folks,

I am also facing similar issue. do we have any fix to this as of now?

Appreciate your prompt response.

Thanks

Saurabh

Javier Portuguez · ‎10-12-2012

Hi,

To clarify a couple of things:

1- "reverse-route" does not have anything to do with this issue, the problem relies on the Windows 7 machine.

2- Do you connect with an Admin account (Windows admin)?

3- Do you run the VPN client as an administrator?

4- Have you tried to disable any AV or software protection on the machine (just for testing).?

Let me know.

Portu.

Please rate any helpul posts

Message was edited by: Javier Portuguez

Patrick0711 · ‎10-12-2012

It's something local to your workstation.

I use Windows 7 as my office workstation and have tested hundreds of client VPN configurations without issue. There are also probably 50+ other technicians in my office who run Windows 7, do the same type of work, and do not experience issues with route injection.

Javier Portuguez · ‎10-12-2012

Hi there,

I totally agree with Patrick (5 stars).

Please check my previous post and let us know.

Portu.

Please rate any helpful posts.

abcdrohan · ‎10-12-2012

A basic question: have you tried disabling windows FW and any AV if installed on that windows box?

You might have tried it already but just checking

Also instead of using cisco vpn client try using shrew soft as the vpn client and see if you get different results