Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1703
Views
0
Helpful
1
Replies

VPN Connects, but not able to access any IP in the Remote Network

chandrasekhar.s
Level 1
Level 1

‎01-05-2010 07:10 AM

Hi All,

We have a Cisco VPN to a client system. We are able to connect to the VPN of the client system successfully. However we are not able to access any IP from the remote Network. We tried to ping the default gateway and this also times out. I am able to ping only my IP.

Our network IP range is in 192.168.2.xx

The client IP range is in 192.168.4.xx

After the VPN connection If I look into IP Config

1) I get a correct 192.168.4.xx IP address range

2) The default gateway is also correct 192.168.4.x

I am not able to Ping any other IP from the remote network except my own IP.

I have attached the CISCO VPN log. I have masked the PUBLIC IP and the Domain name.

In the Cisco properties, we have set

1) Enable Transparent Tunneling

2) IPSEC over UDP (NAT / PAT)

3) Allow Local Network to TRUE

We see that the error AddRoute failed to add a route: code 87 coming in the LOG file.

Could you please help us with this problem.

Thanks and Regards

Chandrasekhar

------ CISCO VPN LOG -------------------

Cisco Systems VPN Client Version 4.8.02.0010

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      19:51:47.977  01/05/10  Sev=Info/4 CM/0x63100002

Begin connection process

2      19:51:47.993  01/05/10  Sev=Info/4 CM/0x63100004

Establish secure connection

3      19:51:47.993  01/05/10  Sev=Info/4 CM/0x63100024

Attempt connection with server "PUBLIC IP ADDRESS"

4      19:51:48.102  01/05/10  Sev=Info/4 CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

5      19:51:48.149  01/05/10  Sev=Info/4 CM/0x63100015

Launch xAuth application

6      19:51:48.321  01/05/10  Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

7      19:51:48.321  01/05/10  Sev=Info/4 IPSEC/0x63700014

Deleted all keys

8      19:52:00.977  01/05/10  Sev=Info/4 CM/0x63100017

xAuth application returned

9      19:52:01.024  01/05/10  Sev=Info/4 CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

10     19:52:01.133  01/05/10  Sev=Info/4            CM/0x63100019

Mode Config data received

11     19:52:02.023  01/05/10  Sev=Info/4            CM/0x63100034

The Virtual Adapter was enabled:

            IP=192.168.4.168/255.255.255.0

            DNS=192.168.4.250,192.168.4.252

            WINS=0.0.0.0,0.0.0.0

            Domain=<DOMAIN NAME>

            Split DNS Names=

12     19:52:02.039  01/05/10  Sev=Warning/2      CVPND/0xE3400013

AddRoute failed to add a route: code 87

            Destination       192.168.2.255

            Netmask           255.255.255.255

            Gateway           192.168.4.1

            Interface           192.168.4.168

13     19:52:02.039  01/05/10  Sev=Warning/2      CM/0xA3100024

Unable to add route. Network: c0a802ff, Netmask: ffffffff, Interface: c0a804a8, Gateway: c0a80401.

14     19:52:02.054  01/05/10  Sev=Info/4            CM/0x63100038

Successfully saved route changes to file.

15     19:52:02.054  01/05/10  Sev=Info/6            CM/0x63100036

The routing table was updated for the Virtual Adapter

16     19:52:02.117  01/05/10  Sev=Info/4            CM/0x6310001A

One secure connection established

17     19:52:02.226  01/05/10  Sev=Info/4            CM/0x6310003B

Address watch added for 192.168.2.178.  Current hostname: mm0007, Current address(es): 192.168.4.168, 192.168.2.178.

18     19:52:02.226  01/05/10  Sev=Info/4            CM/0x6310003B

Address watch added for 192.168.4.168.  Current hostname: mm0007, Current address(es): 192.168.4.168, 192.168.2.178.

19     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x63700014

Deleted all keys

20     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x63700010

Created a new key structure

21     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x6370000F

Added key with SPI=0x777eb224 into key list

22     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x63700010

Created a new key structure

23     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x6370000F

Added key with SPI=0x2f0ab19d into key list

24     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x6370002F

Assigned VA private interface addr 192.168.4.168

25     19:52:02.226  01/05/10  Sev=Info/4            IPSEC/0x63700037

Configure public interface: 192.168.2.178. SG: "PUBLIC IP ADDRESS"

26     19:52:02.226  01/05/10  Sev=Info/6            CM/0x63100046

Set tunnel established flag in registry to 1.

------ CISCO VPN LOG -------------------

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎01-05-2010 07:24 AM

After you connect, go to Status -> Statistics in the vpn client. Check to see if transparent tunneling is actually active. If not, this is most likely a nat-traversal issue on the firewall.

0 Helpful
Customers Also Viewed These Support Documents