VPN Client Default Gateway is blank

Answered Question
Aug 27th, 2009


When I log in thru ASA Remote Access VPN via VPN client, I hvae a new IP assigned but the default gateway is blank. Why is it so ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
tech_trac Thu, 08/27/2009 - 03:09


I am able to log into the main network via Remote Access VPN Client. But I am not able to initiate connection to other connected networks from the main network. What do I need to enable access to other networks.

tech_trac Thu, 08/27/2009 - 03:27

Yes. I have configured split tunnel on ASA and the problem network has been added to the 'Split Network Tunnel List' via ASDM.

What do you mean by crypto domain list.


Encryption domain = split tunnel networks, the IP subnets you want the client to send/recevie encrypted traffic for.

If you have the IP subnets in the split-tunnel list and you still cannot reach them, then check your routing. REMEMBER the remote ip subnets MUST know how to reach the IP addresses of the remote VPN clients - basic routing.

tech_trac Thu, 08/27/2009 - 03:36

The routing part is Ok. Because I logged into another host on the main network (without VPN) and am able to reach the other network.

But thru the VPN assigned IP on the main network I cannot reach the other network.

There is another firewall before the other network and the logs for port 3389 are as follows which shows connection time out.

Aug 27 2009 15:32:31: %FWSM-6-302013: Built inbound TCP connection 145686386116986871 for OUTSIDE: ( to DMZ2: (

Aug 27 2009 15:32:52: %FWSM-6-302014: Teardown TCP connection 145686386116986871 for OUTSIDE: to DMZ2: duration 0:00:20 bytes 264 Conn-timeout

Being able to connect from a machine NOT on the VPN to the remote network does NOT prove the routing is OK, as you are not on the VPN.

Check that the remote network knows how to route to the IP subnet used for the RVPN.

From the above outputs, you need to check your NAT/Routes/ACL's that permit inside to DMZ2 traffic.

tech_trac Thu, 08/27/2009 - 03:51

The VPN assigned IP is I have allowed ANY on the outside ACL of the FWSM.

Brief Topology:

Host -> CAT65 -> FWSM -> Target Host

NAT is configured on CAT65 but is not applicable to the Host VLAN. Secondly, there is no NAT configured on FWSM.

I believe same routing should be applicable since the Host IP from which I can reach the destination is, and the VPN IP assigned is, so same routes should apply (No host based routing).


tech_trac Thu, 08/27/2009 - 04:39

The pool is already defined. is part of the pool which is automatically assigned upon VPN connection. There is no conflict between the pool allocated and any other host on the same network.

The config for the pool is

ip local pool mypool mask

tunnel-group cisco type ipsec-ra

tunnel-group cisco general-attributes

address-pool mypool

default-group-policy cisco

tech_trac Thu, 08/27/2009 - 07:34

ip local pool has been configured on the ASA and FWSM. Below is the topology with ASA on which the VPN terminates

ASA (VPN) -> Host -> CAT65 -> FWSM -> Target Host


tech_trac Fri, 08/28/2009 - 02:32

Hi Andrew,

Any clues on this.

I did the capture on FWSM. The PO packets are forwarded to the end host and there is reply as well i.e. to icmp messages. What could be causing the timeouts on FWSM if response is being received by the end host.

I could only think of the VPN configuration on ASA causing this.


tech_trac Fri, 08/28/2009 - 03:13


Worked. It was the route on the ASA.

But tell me one thing, how does the routing table in ASA(VPN) affect the connected host. Since the host is already connected with CAT65K as the default gateway and CAT65's routing table should only be relevant.

tech_trac Fri, 08/28/2009 - 04:37

Hi Andrew,

More on this....

If I were to add one more ASA in the front so that the topology now becomes

ASA -> ASA -> Host -> CAT65K -> FWSM -> Target Host

where should the VPN be ideally terminated. Should it be the first ASA or the second.

tech_trac Fri, 08/28/2009 - 12:12

In my case the second ASA has AIP-SSM module.

Should I pass the VPN traffic to the IPS module ? If so then how should it be defined in the class-map for IPS traffic.

tech_trac Fri, 08/28/2009 - 13:19

Ok. If I were to avoid it how could it done. Because the traffic coming from internet onto the same segment in currently being scanned.

And the VPN traffic for remote management is also connected to the same segment. How can I exempt the VPN traffic from being sent to AIP-SSM.

Secondly, is it safe from security perspective to allow internet access while the host is connected over the VPN (split tunnel) to corporate network.


This Discussion