Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

AddRoute failed to add a route: code 87

I could connect to easy vpn server from the client. However, cannot access any Local area resource. From the Log file it showed " Sev= Warning/2 AddRoute failed to add a route: code 87"


Re: AddRoute failed to add a route: code 87

Check the Tunnel group configuration on VPN server.

also check this bug-id:CSCsb05686.

New Member

Re: AddRoute failed to add a route: code 87

First off, this bug is an internal Cisco bug talking about if you configure the secondary IP address on the main interface, you would see the error code 87.

So far, Secondary IP is the only reason being documented internally by Cisco. However, without secondary IP address set up on the main interface, you would still be able to see the error on vpn client.

If that is the case, the error indicates incorrect or uncompleted configuration issues on the ASA side. Check the ASA config for these items:

1) NAT exemption (NAT 0)- to allow restricted network be accessible from VPN pool

2) Split Tunnel - Ensure if you specify which inside networks (whole or partial) need to included in the secure tunneling list. IF all traffic including Internet traffic are required to be secured by VPN tunnel encryption, you could use ANY

3) For item (2), those Internet traffic needs to rerouted back to Internet from the same Outside interface, so you need to:

3-1) NAT (outside) - this step is to enable VPN private IP address es being NATed properly to outside global IP address before the traffic back to the Internet.

3-2) Hair-Pinning or U-Turn - use command "same-security-traffic permit intra-interface" - This command basically allow the inbound VPN traffic coming out from the same Outside interface. Similar concept like Split Horizon for the IP Routing.

I got the exact same issue before, and eventually after fixing the above items, everything worked fine. And from your VPN client log view, you should be able to see the correct IKE and IPSEC information rather than the Code 87 issue.

CreatePlease to create content