IOS Router VPN - Client cannot connect to all subnets

Unanswered Question
Mar 12th, 2009


I have setup a IOS Router VPN that uses IPSec with Radius Authentication. I am using Cisco VPN Client 4.8. The connection and the Authetication work great, but the client cannot connect to all Subnets. I can sometimes can connect to a specific host in a subnet, but not others.

For example I have another router with a number of sub-interfaces on it, and I can ping only 80% of these sub-interface addresses. Any Help would be most greatful.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Ivan Martinon Thu, 03/12/2009 - 14:33

you are not using any split tunnel so there should be no reason why the traffic should not flow from client to router and back, you could try to enable reverse-route under the dynamic tunnel and see if that helps.

also when the client cannot reach those networks, can your router reach them?

infosateng Thu, 03/12/2009 - 15:40

Ok Thanks, I give that a go.

Yes, the router can connect to everything

infosateng Thu, 03/12/2009 - 15:57


I've added the reverse-route command to the Dynamic Tunnel and the problem is still the same.

Ivan Martinon Thu, 03/12/2009 - 16:00

Do me a favour, go ahead and create a loopback interface on the router, with an ip address that is not on the local subnet of your router or any other subnet behind it, then once it is created ping those subnets the client is unable to ping sourcing the ping from the loopback interface, are you getting replies?

infosateng Thu, 03/12/2009 - 16:13


Well that was interesting, I got the same problem. I can ping some addresses, but not all. Even if ip addresses are sub-interfaces on the same router.

Ivan Martinon Thu, 03/12/2009 - 16:15

If you both, try a traceroute from those ip address(es) that you can reach from the client, to the vpn client assigned address from the pool, do you see it going to the vpn server?

infosateng Thu, 03/12/2009 - 16:40

Yes, I see what the problem is. We have a couple of Core routers and doing a traceroute from the offending devices it stopped at the Secondary. I've add a static route and all is well.

Thanks for you help, I can now see the wood from the trees.


This Discussion