Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Problem to reach a subnet through Cisco VPN client

Good morning,

I configured a remote VPN in order to reach a subnet specific of my company, I connect across of Cisco VPN client. We suppose that this subnet has 2 IPs availables( and, when I connect to that subnet, sometimes I can do ping to the first address but the second no and then, I connect again to the VPN and the opposite occurs, the first IP can´t do ping but to the second IP yes. Sometimes I can do ping to all IPs of the subnet. This Subnet is inside of a VRF

Best regards,


Problem to reach a subnet through Cisco VPN client

Hello, Francisco.

Could you please share your configuration?

Are you sure that IP-addresses you are trying to ping are really on the subnet (you might be pinging some other devices with the same IP-addresses)?!

Problem to reach a subnet through Cisco VPN client


This is de configuration:

aaa new-model

aaa group server radius Radius-PMS

server-private X.X.X.X auth-port 1812 acct-port 1813 key 70055415550

server-private X.X.X.X auth-port 1812 acct-port 1813 key 7  06575D7218

ip radius source-interface Loopback0

aaa authentication login default local

aaa authentication login vpn1 local

username xxxx privilege 15 secret 5 xxxxxxxxxxxxxxxx

crypto isakmp client configuration group VPN_VOIP

key xxxxxx



crypto isakmp profile VPN_VOIP

   vrf VPN_xxxxxxx_01

   match identity group VPN_VOIP

   client authentication list vpn1

   isakmp authorization list vpn1

   client configuration address initiate

   client configuration address respond

crypto ipsec transform-set strong-encryption esp-3des esp-sha-hmac

crypto dynamic-map VPN_VOIP 2

set security-association idle-time 86400

set transform-set strong-encryption

set isakmp-profile VPN_VOIP


crypto map Ipsec-Static-msspain 60 ipsec-isakmp dynamic VPN_VOIP

interface GigabitEthernet0/0.533

encapsulation dot1Q xxx

ip address X.X.X.X

no ip proxy-arp

ip accounting output-packets

ip virtual-reassembly max-reassemblies 1024

crypto map Ipsec-Static-msspain

ip local pool VPN_VOIP X.X.X.X X.X.X.X group VPN_VOIP

ip access-list extended VPN_VOIP

permit ip any

Yes, I am sure because the IP is in range and the ACL (VPN_VOIP) is /16. I ping to an IP of the range and sometimes don't.

Best regard,

Re: Problem to reach a subnet through Cisco VPN client


Your configuration looks fine, but I see no other interfaces in the VRF mentioned.

(You might have stripped "aaa author network vpn1 local").

1. Could you please trace (.3) from the client?

2. Could you please try to ping the address from the Easy VPN server during the issue?

PS: the issue could be in the ommitted part of your configuration.

PS2: could you provide statistics screenshot per two cases (when you can/can't ping the IP-address)?

CreatePlease to create content