I'm able to establish the tunnel sesion w/o a problem, however in the vpn client log, I keep getting this error message "AddRoute failed to add a route: code 87". Does that mean that it's the vpn client issue or the vpn concentrator configuration issue?
there are few posts regarding the "add route" issue with vpn client. i believe there maybe a bug with one of the versions.
nonetheless, just wondering if you've disabled all the software firewall on the pc. perhaps also try a different version of vpn client.
I currently have the same issue. The client PC connects to my PIX fine, the little gold lock locks, I get an IP Address and other necessary IP settings but cannot connect to any resources. I look at the log and get the same Error Message.
AddRoute failed to add a route: code 87
The entire message is
Cisco Systems VPN Client Version 4.7.00.0533
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 16:36:16.311 10/11/05 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
2 16:36:16.311 10/11/05 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80ac9, Gateway: c0a80ac9.
Any thoughts would be appreciated !
Found it !!
I installed the Cisco VPN Client on a second computer and tested it and got the same result. Both are Windows XP with SP2. I found something that said that different VPN clients cannot live on the same computer. I uninstalled the Symantec client from one PC, rebooted and reinstalled the Cisco VPN Client and all is well. I did the same uninstall on the first computer and it now also works.
Thanks for listening ;-)
it's good to learn that your issue has been resolved. and thanks for sharing the resolution.
there's sth new everyday.
I don't have any other VPN clients installed and still get the same error message. Any other suggestion would be appreciated.
please provide an update on what has been tested so far, such as re-intall the vpn client or try a different version etc.
So far, I've installed on couple PCs running Windows XP with SP2. The Cisco VPN client version is 4.6.04.0043, and all of those PCs get the same error message. I have re-installed them couple times, and still the same result. But I haven't tried a different version yet. Which version would you suggest to download and try it out?
I am running client version 4.6 on one computer and 4.7 on another. Both are XP w/ SP2 on them and they both now are working.
i tested v4.6 sometime ago and it crashed my laptop several times. i gave up and since then i've been using v4.0.3(a). no drama at all.
I uninstalled 4.6 and reboot then installed 4.7. Still get the same error message. Any other suggestion?
I had the same problem . I believe the code 87 is becasue the address of the WAN interface is a.b.c.d/32 but this is of no consequence.
Get the tunnel up and check the status of the client.
If it shows transperent as disabled the do a 'route print' from your cmd window and the default route 0.0.0.0 will have two entries, 1 to the vpn tunnel, the second to the dialup interface. The traffic will actually use the first entry
Testing using ethereal also showed that the packets were actually sent down the tunnel.
If I used the PC connected via ADSL then NAT was performed and it worked correctly.
If I conn3ected via dialup which seems to be what you are doing , then no NAT is performed and even though the IPSEC tunnel eventuates, no traffic flowed.
All correct SA's establish but no traffic flows for the dialup connection
When I checked the client I found that Transparent tunnelling was DISABLED when using the dialup service but active on the ADSL.
Checking with the concentrator I found that replies were being sent back , but dropped as NAT-T was not being used, so the IPSEC packets were not being tunneled.
The firewall had incoming entries for AH, ESP TCP/500
and UDP 4500 (IPSEC over UDP).
When you use standard ADSL NAT is performed between the PC LAN and the WAN and thus NAT-T is required,the UDP connection is trackable throught he firewall.
When you do not have NAT-T then the firewall cannot track ESP as it is a protocol with no forward backward ports etc, and therfore not able to be a stateful connection.
I solved this by allowing the firewall to let ESP traffic back out from the concentrator to naywhere.
Add a rule similar to this.
access-list outgoing permit ip host concentrator_addr any eq esp.
applied to the inside interface used for the VPN
I'm having the exact problem with VPN Client on XP (Home) SP2. Once the tunnel is established can't open web pages or page IP addresses that normally respond. I've searched the archives and have found all kinds of suggestions, but so far no solution. About a year ago I installed 4.0.4 and after much grief got it working. Recently, (like a fool) I decided to upgrade to get the latest security enhancements. Now everything I try fails with the "AddRoute failed to add a route: code 87" message. After hours of frustration here's what I've tried:
* Uninstalled v.4.0.4 (BIG MISTAKE!)
* Installed v4.7 (code 87 error)
* Uninstalled 4.7, installed 4.6. (code 87 error)
* Tried uninstalling Norton AntiVirus2005 to no effect (code 87 error)
* Uninstalled 4.6, tried to reinstall 4.0.4 after renaming CSGina.dll per 4.6 release notes. (Got scary popup during installation stating that Microsoft strongly recommends that you abort this installation -- so I did!)
* With regedit I removed all registry entries having anything to do with VPN Client, cvpnd, etc.
* Tried reinstalling 4.7 again with same symptom!
Hope someone has some ideas besides reinstalling the OS. (That would take me days given the huge amount of s/w on my PC with all of the corresponding update downloads, etc.) I really need VPN Client in order to work from home, but IT SHOULDN'T BE THIS HARD!!!