Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Easy VPN hardware clients with VTI configured for no-split tunneling break with the default route pushed by the server
This issue is seen with an Easy VPN client router connected to a server with a Virtual Tunnel Interface (VTI) and no-split tunneling configured.
If an Easy VPN client is configured with a static route to the Internet, when the VPN comes up, it gets an additional static route out to the VPN. Therefore, the client ends up with two static routes. This breaks the VPN, as the client is unable to control which static route the traffic takes.
This is the correct and expected behavior. With no-split tunneling, all the traffic needs to be protected over the tunnel. Since VTI uses routing in order to decide which traffic must be protected, a default route needs to be installed in the case of no-split tunneling.
Note: Most routers that run the Cisco Easy VPN Client software have a default route configured. The default route that is configured must have a metric value greater than 1. The route points to the virtual access interface, so that all traffic is directed to the corporate network when the concentrator does not "push" the split tunnel attribute.