We have an Internet-facing VPN concentrator 3005 outside our ASA firewall and vpn software client installed on laptops in a Windows 2000 domain with Active Directory. No split-tunneling is allowed.
I once installed the VPN client on a new laptop in the corportate network, and to test it, I connected the laptop to VPN concentrator. When I tried to ping our primary DC, I got timeouts. But I could ping other DCs and any other corporate devices.
Upon examing the "route print" output, I found that the VPN client added a few routes, including a route for the primary DC out the LAN interface to the LAN default gateway. No wonder I couldn't ping it -- the ICMP packes got dropped because they were directed to the local LAN. I could manually remove the route and connections to the PDC would be fine.
What bothers me is that I can't find a place in the concentrator config or VPN client to remove the unwanted route. It is not in the static routes on the concentrator. I even searched the concentrator's CONFIG file but only found one instance of PDC IP address, which is the DNS server address. I also tried no firewall for this VPN group.
Can someone offer me a clue?
Appreciate it much!