Anyconnect ip address

Answered Question
Jul 7th, 2009
User Badges:

Hi,


When we connect to SSL Anyconnect vpn, the ip address assigned seems to be with a gateway next to the ip address being assigned & with the subnet mask as whatever subnet the range belongs to.

Like, if i assign pool of 192.168.100.1-192.168.100.14(/28)to a group, on connecting it will allocate me following:

IP addr: 192.168.100.1

SM: 255.255.255.240

GW: 192.168.100.2


1. Shouldn't VPN connections be displaying subnet mask as /32 & gateway address same as IP address assigned?

2.Why does it need to allot a gateway address? & if it is necessary, why does it default to the very next IP address?


There are no problems with connections over VPN, everything is working fine.

Curious to know these.


Please advise.Thanks.

Correct Answer by ksirupa about 8 years 1 week ago

Hi,


This is expected behavior and shouldn't cause any problems for your VPN connection.


Windows XP does not like the interface to be same as the gateway for a non-local route. In XP, for a local route, the gateway can and must point to the interface. In XP, for a non-local route, the gateway must not point to the interface.

Hence the change. The .1 (ie 1st IP in the subnet) was chosen randomly.


What happens if a machine with that IP exists on the private side of the ASA?


The AnyConnect interface is a virtual interface. The gateway on this interface is also meaningless. Since we are a virtual interface, no packets ever make it to the gateway mentioned in the route. We grab it , wrap it and send it out to the ASA just any other packet. After unwrapping it, it's up to the ASA to decide what to do with it.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ksirupa Wed, 07/15/2009 - 02:34
User Badges:
  • Silver, 250 points or more

Hi,


This is expected behavior and shouldn't cause any problems for your VPN connection.


Windows XP does not like the interface to be same as the gateway for a non-local route. In XP, for a local route, the gateway can and must point to the interface. In XP, for a non-local route, the gateway must not point to the interface.

Hence the change. The .1 (ie 1st IP in the subnet) was chosen randomly.


What happens if a machine with that IP exists on the private side of the ASA?


The AnyConnect interface is a virtual interface. The gateway on this interface is also meaningless. Since we are a virtual interface, no packets ever make it to the gateway mentioned in the route. We grab it , wrap it and send it out to the ASA just any other packet. After unwrapping it, it's up to the ASA to decide what to do with it.


Actions

This Discussion