03-07-2011 08:03 PM
i have a notebook computer running Cisco VPN Client v5 which connects to the office network fine from some locations, but not from other locations. and at the locations where it won't connect, it will connect fine to another unrelated network. by "won't connect" i mean that i can not access any of the resources on the office network -- the client software appears to work, but there's no access, i can't ping anything on the office network. what would cause this? here's the log file from a location where it won't connect to the office network:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: E:\Cisco Systems VPN Client\
1 21:36:30.625 03/07/11 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 5.0.0.0
Netmask 255.0.0.0
Gateway 192.36.253.1
Interface 192.36.253.179
2 21:36:30.625 03/07/11 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: 5000000, Netmask: ff000000, Interface: c024fdb3, Gateway: c024fd01.
in this particular case, the local network is using the 192.168.1.x IP range, so that shouldn't be an issue.
lee
Solved! Go to Solution.
03-07-2011 08:08 PM
It might be you are going through a PAT device, hence you are not able to access any of the resources after the VPN is connected because ESP packet typically won't pass through a PAT device.
What needs to be configured on the VPN server is to allow NAT-T (NAT Traversal), ie: encapsulation of the ESP packet into UDP or TCP packet, so it passes through PAT device just fine.
What VPN server do you have to terminate the VPN Client?
The command to enable it on ASA would be: crypto isakmp nat-traversal 20
Let me know if you have other devices as the VPN server.
Hope that helps.
03-07-2011 08:08 PM
It might be you are going through a PAT device, hence you are not able to access any of the resources after the VPN is connected because ESP packet typically won't pass through a PAT device.
What needs to be configured on the VPN server is to allow NAT-T (NAT Traversal), ie: encapsulation of the ESP packet into UDP or TCP packet, so it passes through PAT device just fine.
What VPN server do you have to terminate the VPN Client?
The command to enable it on ASA would be: crypto isakmp nat-traversal 20
Let me know if you have other devices as the VPN server.
Hope that helps.
03-08-2011 01:14 PM
thanks for the quick reply -- we're using a Cisco ASA 5505. i'll talk to the network admin about the config change and let you know.
03-15-2011 08:49 PM
that config change did the trick -- thanks!
lee
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: