pix 501 vpn problem

Answered Question
Aug 13th, 2009

I can connect but don't see any network resources.

The Vpn Client, ver:5.0.01, is running on an xp machine.

The network it is connecting to is behind a pix501- Ver. 6.3(5).

When the connection is made the remote client gets an assigned address from the vpn pool 192.168.2.10- 192.168.2.25:

The vpn client log shows:

Line:45 18:07:27.898 08/12/09 Sev=Info/4 CM/0x63100034

The Virtual Adapter was enabled:

IP=192.168.2.10/255.255.255.0

DNS=0.0.0.0,0.0.0.0

WINS=0.0.0.0,0.0.0.0

Domain=

Split DNS Names=

This is followed by these lines:

46 18:07:27.968 08/12/09 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 87

Destination 192.168.1.255

Netmask 255.255.255.255

Gateway 192.168.2.1

Interface 192.168.2.10

47 18:07:27.968 08/12/09 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a8020a, Gateway: c0a80201.

48 18:07:28.178 08/12/09 Sev=Info/4 CM/0x63100038

Successfully saved route changes to file.

49 18:07:28.198 08/12/09 Sev=Info/6 CM/0x63100036

The routing table was updated for the Virtual Adapter

50 18:07:29.760 08/12/09 Sev=Info/4 CM/0x6310001A

One secure connection established

* ...

I can ping, from the remote client, to an inside ip behind the pix even

when I get the "add route failure" shown above, but i can't ping the computer name.

I enabled NAT traversal using the PDM, But when I connect with this option I get the error that the "Remote end is NOT behind a NAT device This end IS behind a NAT device" and ping fails.

Behind the pix are a few computers with no central server so I'm not passing a WINS server to the remote client.

I set up the vpn with the wizard.

Attached is the config file.

Any suggestions would be appreciated.

Regards,

Hugh

Attachment: 
Correct Answer by JORGE RODRIGUEZ about 7 years 6 months ago

Hugh, sure you can rate based on the overall of the conversation but you are not obligated to do so but certainly would be nice to provide ratings.

To summarized the overall narrowing down possible issues, the main goal was to ensure RA VPN configuration on the PIX501 was corrected.

1- We enabled NAT-T on the firewall - even though this was not the issue but it is required to have it there should you RA VPN from other locations - NAT travseral makes the firewall aware of NAT devices from other ends - here is some good information on NAT-T for reference in future

http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx

2-We corrected the VPN POOL network /28 as well as the nonat access list and crypto acl to be consistant.

Here is a link for future reference with numerous PIX configuration scenarios

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

lastly - your only remaining issue we can say is purely isolated with MAC machine and vpn client software.

You could perhaps try different version of the client in the MAC, or also look into release notes open caveats to rule out cisco cleint versioning and MAC versioning if there is any issues.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_notes_list.html

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
verstand76 Thu, 08/13/2009 - 11:14

I did try : isakmp nat-traversal but got the error I noted in my post. I even couldn't ping then. I'll try again. Do I need to add any seconds or just leave blank?

JORGE RODRIGUEZ Thu, 08/13/2009 - 12:07

Could you correct your vpn pool to be consistant with your nonat exempt rule prior to troubleshooting fruther.

you have /28 pool network, that gives 14 hosts and range should start at host .1 to .14 , your config have ip local pool vpp1 192.168.2.10-192.168.2.25

your vpn pool shoudl be:

ip local pool vpp1 192.168.2.1-192.168.2.14

as for the NAT-T the 20 is default so automatically will be added.

[edit]

after you correct vpn pool network range try vpn client and access resources in the 192.168.1.0/24 network.

Post results

verstand76 Thu, 08/13/2009 - 12:29

ok, I'll will change the pool.

I just tried the nat-t but still nothing to "see". I was able to ping inside though, so I must of had some other config setting when ping failed.

I'm still getting the "add route failure" in the client log; is this significant?

the client log shows connected and continues with line after line of

"Sent a keepalive on the IPSec SA"

I'll post new results after pool change.

Thanks,

hugh

verstand76 Thu, 08/13/2009 - 13:46

I changed the pool. Still can't see computer behind pix.

The ipconfig shows for cisco adapter an ip of 192.168.2.1 but has no default gateway.

In Route Details window: Local LAN routes is empty and Secured routes has 192.168.1.0 255.255.255.0

bytes sent and received show some in the client statistics but if i check the cisco vpn network via network connections it shows 0 bytes sent and received.

VDP port 4500 and says local lan disabled ; i don't understand this as I have 'allow local lan access' checked in the client set up.

I'm still getting the "add route failure"

hugh

JORGE RODRIGUEZ Thu, 08/13/2009 - 18:10

Hugh, ok you corrected the vpn pool, looking at the config seems to be ok split tunnle alcl etc.. which makes me think perhaps vpn client itself or machine, have you tried different version of vpn client , or even from a different machine.

post again an updated config for a second look .

Regards

verstand76 Fri, 08/14/2009 - 06:25

Yes, I've tried client ver. 4.9.61 on a Mac OS X 10.5.7; it connects but I see nothing, nor can I ping.

I have cisco vpn client 5.0.00.0340 which I can try from windows. What do you think?

The windows os I've tried so far is xp home service pack 2 with cisco client 5.0.01 as noted in first post.

I can try from another windows os xp home service pack 3.

attached is latest config

thanks for working on this

Hugh

Attachment: 
JORGE RODRIGUEZ Fri, 08/14/2009 - 08:42

Sorry..I did not notice the crypto acl is incorrect , change it to be /28, you have it with a /27.

remove this:

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

replace with:

permit ip any 192.168.2.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

post if still issue.

verstand76 Fri, 08/14/2009 - 10:35

ok, i need to get this clear:

you mean replace the line:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

with this line:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

hugh

JORGE RODRIGUEZ Fri, 08/14/2009 - 11:40

Yes Hugh, I placed the no in the line.

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

and add to your config

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

we just need to make config clear and consistant to rule out vpn config discrepancies in your issue.

Regards

verstand76 Fri, 08/14/2009 - 11:58

yes, I see that the 'no' is part of the command. It did remove the line. I'm about to test now.

I noticed in viewing configuration settings through the PDM that under VPN/IPSec Rules in the Remote Side panel (detail view) should both be 192.168.2.0/28 ?

After I changed access-list outside using the command line tool, this panel had 192.168.2.0/28 but below it was 192.168.2.0/27.

I changed this /27 via Edit and saved. an error message came up but it now shows both as 192.168.2.0/28.

I presume this is correct.

hugh

JORGE RODRIGUEZ Fri, 08/14/2009 - 12:30

Yes, try testing again.. after that crypto acl correction at least the vpn config is consistant and narrow down troubleshooting effort.

Make also sure that hosts behind the PIX the 192.168.1.0 network don't have any firewalls turned on so that vpn pool network can ping those hosts by ip.

verstand76 Mon, 08/17/2009 - 09:42

Success, I couldn't believe it. It was an enjoyable experience.

I made only one change that I can see by comparing the config files; I removed a specific computer that was in the list of internal networks.

The lines were:

pdm location x.x.x.x 255.255.255.255 inside

http x.x.x x. 255.255.255.255 inside

I'm have no idea if this did it or not. Maybe the problem was that it was in the same subnet as the main http network? I can test later.

I haven't had the same luck with the mac os x vpn client. I can connect and get an ip from the vpn pool but can't ping or find the internal networks. I checked the the routes logged in the mac using netstat but I don't see the ip given by the pix to the mac. If it is connected it must have the route, or at least it seems it should. Maybe this behavior by netstat is normal for a vpn connection.

I was going to work on this later today after other tasks.

Thank you for your help and patience in walking me through this.

regards,

hugh

verstand76 Mon, 08/17/2009 - 09:57

I forgot to mention that even when I connected successfully via windows vpn client, I still got the "addRoute failed to add." ( error code 87 in the vpn client log)

hugh

JORGE RODRIGUEZ Mon, 08/17/2009 - 11:42

Hugh, post an updated config again.

When you say success, then you still get the same error code, what is it ? is it working or not?

In any case PLS post config once again to see where we are, also add to your config prior posting these two statement for testing the access to PIX inside interface IP from RA VPN client.

(config)#management-access inside

(config)#telnet 192.168.2.0 255.255.255.240 inside

verstand76 Mon, 08/17/2009 - 12:41

I'll have to get back to you later with the config and then I can do the changes as suggested. Right now i'm pressed by the usual flood of 'sudden' monday deadlines.

Sorry, I thought I was clear. I can connect and view shared resources via the windows os vpn client. This is what i was unable to do before. while connected I then checked the vpn client log to see if the 'addRoute' error was there and it was.

I concluded that this error was not critical for the problem of viewing the network ( prior to this I had searched the web using "cisco error code 87" and found someone who had a network viewing problem but had solved it and they too still had the "addroute" error. Unfortunately they didn't explain how they solved their problem)

so 'success' meant: yes I can connect and view network resources; but for some reason 'addroute' error still happens

Secondly: I can connect with the mac vpn client but I can't ping internal network nor can i view shared resources behind the pix501. ( both of which I can now do from the windows client)

my line of thought here is it has to do with the mac os X system but I haven't had time to research it yet.

what's your idea behind the testing plan?

Is this something I would monitor from inside the pix?

hugh

JORGE RODRIGUEZ Tue, 08/18/2009 - 05:16

Hugh, thanks for clarifying.. the last two statements I indicated don't need to be place in the config unless you want to manage or ping the pix firewall inside interface from RA vpn.

Since you can from Windows get to all resources it seems the issue can be narow down to the MAC OS and not the PIX cnfiguration.

For the MAC issue I would have to look, I don't have a MAC I could test with in my lab..

Regards

verstand76 Tue, 08/18/2009 - 05:30

ok, thank you.

There are so many of your posts do I rate them all are just the overall conversation?

hugh

Correct Answer
JORGE RODRIGUEZ Tue, 08/18/2009 - 08:02

Hugh, sure you can rate based on the overall of the conversation but you are not obligated to do so but certainly would be nice to provide ratings.

To summarized the overall narrowing down possible issues, the main goal was to ensure RA VPN configuration on the PIX501 was corrected.

1- We enabled NAT-T on the firewall - even though this was not the issue but it is required to have it there should you RA VPN from other locations - NAT travseral makes the firewall aware of NAT devices from other ends - here is some good information on NAT-T for reference in future

http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx

2-We corrected the VPN POOL network /28 as well as the nonat access list and crypto acl to be consistant.

Here is a link for future reference with numerous PIX configuration scenarios

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

lastly - your only remaining issue we can say is purely isolated with MAC machine and vpn client software.

You could perhaps try different version of the client in the MAC, or also look into release notes open caveats to rule out cisco cleint versioning and MAC versioning if there is any issues.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_notes_list.html

Regards

verstand76 Tue, 08/18/2009 - 08:15

I put a rate on this final summary.

Thanks again for all the help

hugh

Actions

This Discussion