cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22022
Views
0
Helpful
21
Replies

VPN Client Default Gateway is blank

tech_trac
Level 1
Level 1

Hello,

When I log in thru ASA Remote Access VPN via VPN client, I hvae a new IP assigned but the default gateway is blank. Why is it so ?

1 Accepted Solution

Accepted Solutions

Sorry - been busy with something else.

OK - can you see from the ASA the packet being encrypted and de-crypted?

Does the ASA have the relvan routes in ti?

Does the ASA have the correct IP subnets in the VPN split tunnel list?

View solution in original post

21 Replies 21

andrew.prince
Level 10
Level 10

That is correct - this is because the traffic is passed thru the local encryption client stack.

This is OK.

Thanks.

I am able to log into the main network via Remote Access VPN Client. But I am not able to initiate connection to other connected networks from the main network. What do I need to enable access to other networks.

Those IP subnet's need to be in the cryption domain list configured in the VPN concentrator, I presume you have slipt tunneling configured?

Yes. I have configured split tunnel on ASA and the problem network has been added to the 'Split Network Tunnel List' via ASDM.

What do you mean by crypto domain list.

Thanks.

Encryption domain = split tunnel networks, the IP subnets you want the client to send/recevie encrypted traffic for.

If you have the IP subnets in the split-tunnel list and you still cannot reach them, then check your routing. REMEMBER the remote ip subnets MUST know how to reach the IP addresses of the remote VPN clients - basic routing.

The routing part is Ok. Because I logged into another host on the main network (without VPN) and am able to reach the other network.

But thru the VPN assigned IP on the main network I cannot reach the other network.

There is another firewall before the other network and the logs for port 3389 are as follows which shows connection time out.

Aug 27 2009 15:32:31: %FWSM-6-302013: Built inbound TCP connection 145686386116986871 for OUTSIDE:192.168.169.199/51517 (192.168.169.199/51517) to DMZ2:192.168.170.60/3389 (192.168.170.60/3389)

Aug 27 2009 15:32:52: %FWSM-6-302014: Teardown TCP connection 145686386116986871 for OUTSIDE:192.168.169.199/51517 to DMZ2:192.168.170.60/3389 duration 0:00:20 bytes 264 Conn-timeout

Being able to connect from a machine NOT on the VPN to the remote network does NOT prove the routing is OK, as you are not on the VPN.

Check that the remote network knows how to route to the IP subnet used for the RVPN.

From the above outputs, you need to check your NAT/Routes/ACL's that permit inside to DMZ2 traffic.

The VPN assigned IP is 192.168.169.199/24. I have allowed ANY on the outside ACL of the FWSM.

Brief Topology:

Host -> CAT65 -> FWSM -> Target Host

NAT is configured on CAT65 but is not applicable to the Host VLAN. Secondly, there is no NAT configured on FWSM.

I believe same routing should be applicable since the Host IP from which I can reach the destination is 192.168.169.10/24, and the VPN IP assigned is 192.168.169.199/24, so same routes should apply (No host based routing).

Thanks.

How is that possible - to have an IP address assigned 192.168.169.199/24 which is 192.168.169.1 <> 192.168.169.254 and you have not split it from the internal network.

I suggest you create a sperate pool of addresses, for the Remote VPN.

The pool is already defined. 192.168.169.199 is part of the pool which is automatically assigned upon VPN connection. There is no conflict between the pool allocated and any other host on the same network.

The config for the pool is

ip local pool mypool 192.168.169.155-192.168.169.225 mask 255.255.255.0

tunnel-group cisco type ipsec-ra

tunnel-group cisco general-attributes

address-pool mypool

default-group-policy cisco

Sorry but what I am finding hard to belive is that the FWSM is allowing you to configure:-

ip local pool mypool 192.168.169.155-192.168.169.225 mask 255.255.255.0

and it does not overlap with any other interfaces?

ip local pool has been configured on the ASA and FWSM. Below is the topology with ASA on which the VPN terminates

ASA (VPN) -> Host -> CAT65 -> FWSM -> Target Host

Thanks.

Hi Andrew,

Any clues on this.

I did the capture on FWSM. The PO packets are forwarded to the end host and there is reply as well i.e. to icmp messages. What could be causing the timeouts on FWSM if response is being received by the end host.

I could only think of the VPN configuration on ASA causing this.

Thanks.

Sorry - been busy with something else.

OK - can you see from the ASA the packet being encrypted and de-crypted?

Does the ASA have the relvan routes in ti?

Does the ASA have the correct IP subnets in the VPN split tunnel list?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: