Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.

Setup:

* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)

* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM

NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.

I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.

First I tried with the built-in ASDM IPSec Wizard, instructions found here.

VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).

Client logs show following error messages:

1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F

Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.


2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

Destination     192.168.1.255

Netmask     255.255.255.255

Gateway     172.16.1.1

Interface     172.16.1.101


3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.


4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0


5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0


6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0


7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F

Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.


8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

Destination     192.168.1.255

Netmask     255.255.255.255

Gateway     172.16.1.1

Interface     172.16.1.100


9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.

I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).

A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)

Result of the command: "sh run"


: Saved

:

ASA Version 8.2(5)

!

hostname AsaDWD

enable password kLu0SYBETXUJHVHX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DW-VPDN

ip address pppoe setroute

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group DW-VPDN request dialout pppoe

vpdn group DW-VPDN localname fa******@SKYNET

vpdn group DW-VPDN ppp authentication pap

vpdn username fa******@SKYNET password *****

dhcpd auto_config outside

!

dhcpd address 192.168.2.5-192.168.2.36 inside

dhcpd domain DOMAIN interface inside

dhcpd enable inside

!


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DWD internal

group-policy DWD attributes

vpn-tunnel-protocol IPSec

username test password ******* encrypted privilege 0

username test attributes

vpn-group-policy DWD

tunnel-group DWD type remote-access

tunnel-group DWD general-attributes

address-pool DWD-VPN-Pool

default-group-policy DWD

tunnel-group DWD ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4

: end

I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.

Following commands have been entered:

ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0

username *** password ****


isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp enable outside


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp nat-traversal


sysopt connection permit-ipsec

sysopt connection permit-vpn


group-policy dwdvpn internal

group-policy dwdvpn attributes

vpn-tunnel-protocol IPSec

default-domain value DWD


tunnel-group dwdvpn type ipsec-ra

tunnel-group dwdvpn ipsec-attributes

pre-shared-key ****

tunnel-group dwdvpn general-attributes

authentication-server-group LOCAL

default-group-policy dwdvpn

Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.

I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...

The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.

Does anyone know what's going on?

5 REPLIES
New Member

Cisco ASA 5505 VPN connection issue ("Unable to add route")

Anyone?

I've started from scratch again and am facing the same issue. Very frustrating :/

Cisco ASA 5505 VPN connection issue ("Unable to add route")

Please copy your current config on forum and tell me please what is that you cannot access while being on vpn client.

thanks

New Member

Cisco ASA 5505 VPN connection issue ("Unable to add route")

Have you tried it from another PC?

New Member

Cisco ASA 5505 VPN connection issue ("Unable to add route")

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.

Please find my renewed config below:

DWD-ASA(config)# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname DWD-ASA

enable password ******* encrypted

passwd ****** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DWD

ip address pppoe setroute

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

vpdn group DWD request dialout pppoe

vpdn group DWD localname *****@SKYNET

vpdn group DWD ppp authentication pap

vpdn username *****@SKYNET password *****

dhcpd auto_config outside

!

dhcpd address 192.168.2.10-192.168.2.40 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy dwdipsec internal

group-policy dwdipsec attributes

vpn-tunnel-protocol IPSec

default-domain value DWDDOM

username user1 password ***** encrypted privilege 0

username user1 attributes

vpn-group-policy dwdipsec

tunnel-group dwdipsec type remote-access

tunnel-group dwdipsec general-attributes

address-pool vpnpool

default-group-policy dwdipsec

tunnel-group dwdipsec ipsec-attributes

pre-shared-key *****

tunnel-group dwdssl type remote-access

tunnel-group dwdssl general-attributes

address-pool vpnpool

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f5c8dd644aa2a27374a923671da1c834

: end

DWD-ASA(config)#

Re: Cisco ASA 5505 VPN connection issue ("Unable to add route")

Please change your ACL as shown below...

access-list inside_nat0_outbound extended permit ip 192.168.2.0 mask 255.255.255.0 192.168.50.0 255.255.255.224

Please confirm that your inside hosts have its default gatway assign.

If your inside switch is a Layer3 switch please make sure that you have a static-route in place to push vpn bound traffic to FW's inside address as shown below.

"ip route 192.168.50.0 255.255.255.0 192.168.2.254"

Please include this line as well on your dynamic crypto config.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

To access the internet via VPN client connection to corprate network use the config below.

nat (outside) 1 192.168.50.0 255.255.255.0

Let me know the result

Thanks

Rizwan Rafeek

3881
Views
0
Helpful
5
Replies