Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
5
Helpful
8
Replies

IOS Router VPN - Client cannot connect to all subnets

infosateng
Level 1
Level 1

‎03-12-2009 02:27 PM

Hello

I have setup a IOS Router VPN that uses IPSec with Radius Authentication. I am using Cisco VPN Client 4.8. The connection and the Authetication work great, but the client cannot connect to all Subnets. I can sometimes can connect to a specific host in a subnet, but not others.

For example I have another router with a number of sub-interfaces on it, and I can ping only 80% of these sub-interface addresses. Any Help would be most greatful.

Labels:
Preview file
3 KB
0 Helpful
8 Replies 8

Ivan Martinon
Level 7
Level 7

‎03-12-2009 02:33 PM

you are not using any split tunnel so there should be no reason why the traffic should not flow from client to router and back, you could try to enable reverse-route under the dynamic tunnel and see if that helps.

also when the client cannot reach those networks, can your router reach them?

0 Helpful

infosateng
Level 1
Level 1
In response to Ivan Martinon

‎03-12-2009 03:40 PM

Ok Thanks, I give that a go.

Yes, the router can connect to everything

0 Helpful

infosateng
Level 1
Level 1
In response to infosateng

‎03-12-2009 03:57 PM

Hello

I've added the reverse-route command to the Dynamic Tunnel and the problem is still the same.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to infosateng

‎03-12-2009 04:00 PM

Do me a favour, go ahead and create a loopback interface on the router, with an ip address that is not on the local subnet of your router or any other subnet behind it, then once it is created ping those subnets the client is unable to ping sourcing the ping from the loopback interface, are you getting replies?

0 Helpful

infosateng
Level 1
Level 1
In response to Ivan Martinon

‎03-12-2009 04:13 PM

Hello

Well that was interesting, I got the same problem. I can ping some addresses, but not all. Even if ip addresses are sub-interfaces on the same router.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to infosateng

‎03-12-2009 04:15 PM

If you both, try a traceroute from those ip address(es) that you can reach from the client, to the vpn client assigned address from the pool, do you see it going to the vpn server?

infosateng
Level 1
Level 1
In response to Ivan Martinon

‎03-12-2009 04:40 PM

Yes, I see what the problem is. We have a couple of Core routers and doing a traceroute from the offending devices it stopped at the Secondary. I've add a static route and all is well.

Thanks for you help, I can now see the wood from the trees.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to infosateng

‎03-12-2009 05:34 PM

Awesome! do rate useful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents