VPN won't connect from some locations

Answered Question
Mar 7th, 2011

i have a notebook computer running Cisco VPN Client v5 which connects to the office network fine from some locations, but not from other locations.  and at the locations where it won't connect, it will connect fine to another unrelated network.  by "won't connect" i mean that i can not access any of the resources on the office network -- the client software appears to work, but there's no access, i can't ping anything on the office network.  what would cause this?  here's the log file from a location where it won't connect to the office network:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: E:\Cisco Systems VPN Client\

1      21:36:30.625  03/07/11  Sev=Warning/2    CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
    Destination    5.0.0.0
    Netmask    255.0.0.0
    Gateway    192.36.253.1
    Interface    192.36.253.179

2      21:36:30.625  03/07/11  Sev=Warning/2    CM/0xA3100024
Unable to add route. Network: 5000000, Netmask: ff000000, Interface: c024fdb3, Gateway: c024fd01.

in this particular case, the local network is using the 192.168.1.x IP range, so that shouldn't be an issue.

lee

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 3 years 1 month ago

It might be you are going through a PAT device, hence you are not able to access any of the resources after the VPN is connected because ESP packet typically won't pass through a PAT device.

What needs to be configured on the VPN server is to allow NAT-T (NAT Traversal), ie: encapsulation of the ESP packet into UDP or TCP packet, so it passes through PAT device just fine.

What VPN server do you have to terminate the VPN Client?

The command to enable it on ASA would be: crypto isakmp nat-traversal 20

Let me know if you have other devices as the VPN server.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Jennifer Halim Mon, 03/07/2011 - 20:08

It might be you are going through a PAT device, hence you are not able to access any of the resources after the VPN is connected because ESP packet typically won't pass through a PAT device.

What needs to be configured on the VPN server is to allow NAT-T (NAT Traversal), ie: encapsulation of the ESP packet into UDP or TCP packet, so it passes through PAT device just fine.

What VPN server do you have to terminate the VPN Client?

The command to enable it on ASA would be: crypto isakmp nat-traversal 20

Let me know if you have other devices as the VPN server.

Hope that helps.

lhite1234 Tue, 03/08/2011 - 13:14

thanks for the quick reply -- we're using a Cisco ASA 5505. i'll talk to the network admin about the config change and let you know.

Actions

Login or Register to take actions

This Discussion

Posted March 7, 2011 at 8:03 PM
Stats:
Replies:3 Avg. Rating:5
Views:1809 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard