SA540: Can't change SSL VPN Client IP address range

Unanswered Question
Aug 24th, 2010
User Badges:


I've had the SA540 up & running fine for months with SSL VPN users.  I now want to change the IP range assigned to VPN users.  Under VPN - SSL VPN Client - SSL VPN Client, I had the Client Address Range Begin set to and the end  Everything works great.  The router itself was sitting at  I wanted to change the IP range assigned to VPN users, but when I went to modify the begin from to, and the end from to, I got the following error:

"LAN IP/subnet is also in the same range.

Please configure different pool."

Does anyone know wtf it's talking about?  Most unhelpful error messages ever.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
KOMNetworks Tue, 08/24/2010 - 11:09
User Badges:

Thanks for the reply.

Yes, I upgraded from 1.1.42 to the new 1.1.65 just today.  I glanced through the release notes and didn't see anything related to my problem (but I did see a LOT of unresolved issues, with some or no workarounds...)

juliomar Tue, 08/31/2010 - 16:43
User Badges:
  • Cisco Employee,

Dear KOM Networks,

You will get this message if your SSL VPN client addresses lie within the subnet of the LAN subnet as configured in Networking->LAN->IPv4 Config.  However in your case, your modification should not have triggered the error as the new address range seems to be near your old working range.

Can you send us your configuration file, I will load it and try it out locally. Please change any password and/or sensitive information from the configuration.

If you do not want to post these items in the forum, please feel free to send me these items in private message. 

Best regards,


I have the same exact problem! It all started when a new computer wouldn't receive an IP address when I connected it to the network, only a 169 IP address. So I tried to expand the DHCP range from 50 ( - possible addressed to a 100 ( -, because the "DHCP Leased Client list" showed 50 IP/MAC pairings!

I received this error in red letters: "SSL-VPN client pool is also in the same range. Please configure different IP." So I went to the "SSL VPN client" page and made sure that the range ( - doesn't overlap with the above attempted LAN DHCP range. It doesn't!!!

At this stage I'm unable to add any more devices to the network and I'm also unable to expand the DHCP client range at all! If there were a way to release DHCP leases manually, that would also work! Any insight would be greatly appreciated because I'm the IT guy for a school and the director is breathing down my neck!!!

Firmware is

Tom Watts Wed, 02/27/2013 - 05:33
User Badges:
  • Green, 3000 points or more

Hi Andy, the error seen says it overlaps your SSL VPN range for IP addresses. If that is the truth then you may go to the VPN tab then go to DYNAMIC IP RANGE and modify the ip start/finish if it is inside of your DHCP range.

Please mark answered for helpful posts

the LAN DHCP range is - and I tried to modify that to -

The SSL-VPN range is - so they are definitely not overlapping. The pics I attached are screenshots from the actual device's GUI.

Any further insight would be very much appreciated....

I don't think the latest firmware versions will allow you to use the same subnet for SSL VPN users as the main subnet.

In case it helps:

We use the defaults on the SSL VPN Client page (, but click Enable Split Tunnel Support as we don't want Internet traffic to be routed through the VPN tunnel (this is up to you).  We also had to create a Configured Client Route to our main subnet (

We also create a global "deny" policy for all ports on all IP networks.  Then create user specific 'permit' policies for the IP network ( we want them to have access to, as well as, what ports (3389 for Remote Desktop and 4900 for VNC).

If you don't create a global "deny" policy for all ports on all IP networks, the default is a global "permit" for all ports on all IP networks!!!  This defeats one of the main benefits of SSL VPN (the ability to tighten access).

Tom Watts Wed, 02/27/2013 - 10:49
User Badges:
  • Green, 3000 points or more

Hi Andy, has the dynamic Ip range always been the same? Or did you modify it at some point? The reason being, changes made to that page after the VPN policies were made do not really take effect. To make a sufficient change, you need to delete the vpn policy/users, etc then modify the dynamic IP range section.

Please mark answered for helpful posts


This Discussion