Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

pix 501 vpn problem

I can connect but don't see any network resources.

The Vpn Client, ver:5.0.01, is running on an xp machine.

The network it is connecting to is behind a pix501- Ver. 6.3(5).

When the connection is made the remote client gets an assigned address from the vpn pool 192.168.2.10- 192.168.2.25:

The vpn client log shows:

Line:45 18:07:27.898 08/12/09 Sev=Info/4 CM/0x63100034

The Virtual Adapter was enabled:

IP=192.168.2.10/255.255.255.0

DNS=0.0.0.0,0.0.0.0

WINS=0.0.0.0,0.0.0.0

Domain=

Split DNS Names=

This is followed by these lines:

46 18:07:27.968 08/12/09 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 87

Destination 192.168.1.255

Netmask 255.255.255.255

Gateway 192.168.2.1

Interface 192.168.2.10

47 18:07:27.968 08/12/09 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a8020a, Gateway: c0a80201.

48 18:07:28.178 08/12/09 Sev=Info/4 CM/0x63100038

Successfully saved route changes to file.

49 18:07:28.198 08/12/09 Sev=Info/6 CM/0x63100036

The routing table was updated for the Virtual Adapter

50 18:07:29.760 08/12/09 Sev=Info/4 CM/0x6310001A

One secure connection established

* ...

I can ping, from the remote client, to an inside ip behind the pix even

when I get the "add route failure" shown above, but i can't ping the computer name.

I enabled NAT traversal using the PDM, But when I connect with this option I get the error that the "Remote end is NOT behind a NAT device This end IS behind a NAT device" and ping fails.

Behind the pix are a few computers with no central server so I'm not passing a WINS server to the remote client.

I set up the vpn with the wizard.

Attached is the config file.

Any suggestions would be appreciated.

Regards,

Hugh

1 ACCEPTED SOLUTION

Accepted Solutions

Re: pix 501 vpn problem

Hugh, sure you can rate based on the overall of the conversation but you are not obligated to do so but certainly would be nice to provide ratings.

To summarized the overall narrowing down possible issues, the main goal was to ensure RA VPN configuration on the PIX501 was corrected.

1- We enabled NAT-T on the firewall - even though this was not the issue but it is required to have it there should you RA VPN from other locations - NAT travseral makes the firewall aware of NAT devices from other ends - here is some good information on NAT-T for reference in future

http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx

2-We corrected the VPN POOL network /28 as well as the nonat access list and crypto acl to be consistant.

Here is a link for future reference with numerous PIX configuration scenarios

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

lastly - your only remaining issue we can say is purely isolated with MAC machine and vpn client software.

You could perhaps try different version of the client in the MAC, or also look into release notes open caveats to rule out cisco cleint versioning and MAC versioning if there is any issues.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_notes_list.html

Regards

23 REPLIES

Re: pix 501 vpn problem

Add to your config NAT-T and try again

pix(config)#isakmp nat-traversal

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

Regards

New Member

Re: pix 501 vpn problem

I did try : isakmp nat-traversal but got the error I noted in my post. I even couldn't ping then. I'll try again. Do I need to add any seconds or just leave blank?

Re: pix 501 vpn problem

Could you correct your vpn pool to be consistant with your nonat exempt rule prior to troubleshooting fruther.

you have /28 pool network, that gives 14 hosts and range should start at host .1 to .14 , your config have ip local pool vpp1 192.168.2.10-192.168.2.25

your vpn pool shoudl be:

ip local pool vpp1 192.168.2.1-192.168.2.14

as for the NAT-T the 20 is default so automatically will be added.

[edit]

after you correct vpn pool network range try vpn client and access resources in the 192.168.1.0/24 network.

Post results

New Member

Re: pix 501 vpn problem

ok, I'll will change the pool.

I just tried the nat-t but still nothing to "see". I was able to ping inside though, so I must of had some other config setting when ping failed.

I'm still getting the "add route failure" in the client log; is this significant?

the client log shows connected and continues with line after line of

"Sent a keepalive on the IPSec SA"

I'll post new results after pool change.

Thanks,

hugh

Re: pix 501 vpn problem

Hugh, correct the pool first and try again.

New Member

Re: pix 501 vpn problem

ok, i'm on my way to try the new pool.

hugh

New Member

Re: pix 501 vpn problem

I changed the pool. Still can't see computer behind pix.

The ipconfig shows for cisco adapter an ip of 192.168.2.1 but has no default gateway.

In Route Details window: Local LAN routes is empty and Secured routes has 192.168.1.0 255.255.255.0

bytes sent and received show some in the client statistics but if i check the cisco vpn network via network connections it shows 0 bytes sent and received.

VDP port 4500 and says local lan disabled ; i don't understand this as I have 'allow local lan access' checked in the client set up.

I'm still getting the "add route failure"

hugh

Re: pix 501 vpn problem

Hugh, ok you corrected the vpn pool, looking at the config seems to be ok split tunnle alcl etc.. which makes me think perhaps vpn client itself or machine, have you tried different version of vpn client , or even from a different machine.

post again an updated config for a second look .

Regards

New Member

Re: pix 501 vpn problem

Yes, I've tried client ver. 4.9.61 on a Mac OS X 10.5.7; it connects but I see nothing, nor can I ping.

I have cisco vpn client 5.0.00.0340 which I can try from windows. What do you think?

The windows os I've tried so far is xp home service pack 2 with cisco client 5.0.01 as noted in first post.

I can try from another windows os xp home service pack 3.

attached is latest config

thanks for working on this

Hugh

Re: pix 501 vpn problem

Sorry..I did not notice the crypto acl is incorrect , change it to be /28, you have it with a /27.

remove this:

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

replace with:

permit ip any 192.168.2.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

post if still issue.

New Member

Re: pix 501 vpn problem

ok, i need to get this clear:

you mean replace the line:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

with this line:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

hugh

Re: pix 501 vpn problem

Yes Hugh, I placed the no in the line.

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

and add to your config

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

we just need to make config clear and consistant to rule out vpn config discrepancies in your issue.

Regards

New Member

Re: pix 501 vpn problem

yes, I see that the 'no' is part of the command. It did remove the line. I'm about to test now.

I noticed in viewing configuration settings through the PDM that under VPN/IPSec Rules in the Remote Side panel (detail view) should both be 192.168.2.0/28 ?

After I changed access-list outside using the command line tool, this panel had 192.168.2.0/28 but below it was 192.168.2.0/27.

I changed this /27 via Edit and saved. an error message came up but it now shows both as 192.168.2.0/28.

I presume this is correct.

hugh

Re: pix 501 vpn problem

Yes, try testing again.. after that crypto acl correction at least the vpn config is consistant and narrow down troubleshooting effort.

Make also sure that hosts behind the PIX the 192.168.1.0 network don't have any firewalls turned on so that vpn pool network can ping those hosts by ip.

Re: pix 501 vpn problem

Hugh, whats the progress on your issue.

New Member

Re: pix 501 vpn problem

Success, I couldn't believe it. It was an enjoyable experience.

I made only one change that I can see by comparing the config files; I removed a specific computer that was in the list of internal networks.

The lines were:

pdm location x.x.x.x 255.255.255.255 inside

http x.x.x x. 255.255.255.255 inside

I'm have no idea if this did it or not. Maybe the problem was that it was in the same subnet as the main http network? I can test later.

I haven't had the same luck with the mac os x vpn client. I can connect and get an ip from the vpn pool but can't ping or find the internal networks. I checked the the routes logged in the mac using netstat but I don't see the ip given by the pix to the mac. If it is connected it must have the route, or at least it seems it should. Maybe this behavior by netstat is normal for a vpn connection.

I was going to work on this later today after other tasks.

Thank you for your help and patience in walking me through this.

regards,

hugh

New Member

Re: pix 501 vpn problem

I forgot to mention that even when I connected successfully via windows vpn client, I still got the "addRoute failed to add." ( error code 87 in the vpn client log)

hugh

Re: pix 501 vpn problem

Hugh, post an updated config again.

When you say success, then you still get the same error code, what is it ? is it working or not?

In any case PLS post config once again to see where we are, also add to your config prior posting these two statement for testing the access to PIX inside interface IP from RA VPN client.

(config)#management-access inside

(config)#telnet 192.168.2.0 255.255.255.240 inside

New Member

Re: pix 501 vpn problem

I'll have to get back to you later with the config and then I can do the changes as suggested. Right now i'm pressed by the usual flood of 'sudden' monday deadlines.

Sorry, I thought I was clear. I can connect and view shared resources via the windows os vpn client. This is what i was unable to do before. while connected I then checked the vpn client log to see if the 'addRoute' error was there and it was.

I concluded that this error was not critical for the problem of viewing the network ( prior to this I had searched the web using "cisco error code 87" and found someone who had a network viewing problem but had solved it and they too still had the "addroute" error. Unfortunately they didn't explain how they solved their problem)

so 'success' meant: yes I can connect and view network resources; but for some reason 'addroute' error still happens

Secondly: I can connect with the mac vpn client but I can't ping internal network nor can i view shared resources behind the pix501. ( both of which I can now do from the windows client)

my line of thought here is it has to do with the mac os X system but I haven't had time to research it yet.

what's your idea behind the testing plan?

Is this something I would monitor from inside the pix?

hugh

Re: pix 501 vpn problem

Hugh, thanks for clarifying.. the last two statements I indicated don't need to be place in the config unless you want to manage or ping the pix firewall inside interface from RA vpn.

Since you can from Windows get to all resources it seems the issue can be narow down to the MAC OS and not the PIX cnfiguration.

For the MAC issue I would have to look, I don't have a MAC I could test with in my lab..

Regards

New Member

Re: pix 501 vpn problem

ok, thank you.

There are so many of your posts do I rate them all are just the overall conversation?

hugh

Re: pix 501 vpn problem

Hugh, sure you can rate based on the overall of the conversation but you are not obligated to do so but certainly would be nice to provide ratings.

To summarized the overall narrowing down possible issues, the main goal was to ensure RA VPN configuration on the PIX501 was corrected.

1- We enabled NAT-T on the firewall - even though this was not the issue but it is required to have it there should you RA VPN from other locations - NAT travseral makes the firewall aware of NAT devices from other ends - here is some good information on NAT-T for reference in future

http://www.microsoft.com/technet/community/columns/cableguy/cg0802.mspx

2-We corrected the VPN POOL network /28 as well as the nonat access list and crypto acl to be consistant.

Here is a link for future reference with numerous PIX configuration scenarios

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

lastly - your only remaining issue we can say is purely isolated with MAC machine and vpn client software.

You could perhaps try different version of the client in the MAC, or also look into release notes open caveats to rule out cisco cleint versioning and MAC versioning if there is any issues.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_notes_list.html

Regards

New Member

Re: pix 501 vpn problem

I put a rate on this final summary.

Thanks again for all the help

hugh

829
Views
0
Helpful
23
Replies
CreatePlease to create content