mysterious unwanted route added by VPN software client

Unanswered Question
Jul 26th, 2007
User Badges:

We have an Internet-facing VPN concentrator 3005 outside our ASA firewall and vpn software client installed on laptops in a Windows 2000 domain with Active Directory. No split-tunneling is allowed.


I once installed the VPN client on a new laptop in the corportate network, and to test it, I connected the laptop to VPN concentrator. When I tried to ping our primary DC, I got timeouts. But I could ping other DCs and any other corporate devices.


Upon examing the "route print" output, I found that the VPN client added a few routes, including a route for the primary DC out the LAN interface to the LAN default gateway. No wonder I couldn't ping it -- the ICMP packes got dropped because they were directed to the local LAN. I could manually remove the route and connections to the PDC would be fine.


What bothers me is that I can't find a place in the concentrator config or VPN client to remove the unwanted route. It is not in the static routes on the concentrator. I even searched the concentrator's CONFIG file but only found one instance of PDC IP address, which is the DNS server address. I also tried no firewall for this VPN group.


Can someone offer me a clue?


Appreciate it much!


daniel



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Wed, 08/01/2007 - 10:37
User Badges:
  • Silver, 250 points or more

I think that the client will get a route for the subnet that it recieves an address in and that if the ASA is not setup to hand down a specific subnet, the client just uses a classful subnet. You can apply a specific mask to the client pool on the ASA. The commands you may need to enter are as follows:

clear crypto isakmp sa

clear crypto ipsec sa

then you want to remove the address pool from the VPN Group

no vpngroup address pool

then you can remove the old pool

no ip local pool

then add the new pool

ip local pool mask

then apply the new pool to the vpngroup

vpngroup address pool

Keep in mind that if the same old pool is applied to more than one VPN group then you need to remove the old pool from all groups where it is applied, prior to removing the pool.

Actions

This Discussion