AddRoute failed to add a route: code 87

Unanswered Question
Jun 20th, 2007
User Badges:

I could connect to easy vpn server from the client. However, cannot access any Local area resource. From the Log file it showed " Sev= Warning/2 AddRoute failed to add a route: code 87"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Tue, 06/26/2007 - 10:11
User Badges:
  • Silver, 250 points or more

Check the Tunnel group configuration on VPN server.

also check this bug-id:CSCsb05686.

meng_ted Fri, 12/14/2007 - 11:15
User Badges:

First off, this bug is an internal Cisco bug talking about if you configure the secondary IP address on the main interface, you would see the error code 87.

So far, Secondary IP is the only reason being documented internally by Cisco. However, without secondary IP address set up on the main interface, you would still be able to see the error on vpn client.

If that is the case, the error indicates incorrect or uncompleted configuration issues on the ASA side. Check the ASA config for these items:

1) NAT exemption (NAT 0)- to allow restricted network be accessible from VPN pool

2) Split Tunnel - Ensure if you specify which inside networks (whole or partial) need to included in the secure tunneling list. IF all traffic including Internet traffic are required to be secured by VPN tunnel encryption, you could use ANY

3) For item (2), those Internet traffic needs to rerouted back to Internet from the same Outside interface, so you need to:

3-1) NAT (outside) - this step is to enable VPN private IP address es being NATed properly to outside global IP address before the traffic back to the Internet.

3-2) Hair-Pinning or U-Turn - use command "same-security-traffic permit intra-interface" - This command basically allow the inbound VPN traffic coming out from the same Outside interface. Similar concept like Split Horizon for the IP Routing.

I got the exact same issue before, and eventually after fixing the above items, everything worked fine. And from your VPN client log view, you should be able to see the correct IKE and IPSEC information rather than the Code 87 issue.


This Discussion