Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN not routing traffic

Have a Cisco 3005 Concentrator and some users are not able to route traffic due to the gateway not being the same as the VPN interface.  The issue occurred after one of the groups was deleted from the 3005 device.  Users are able to connect but cannot reach the remote network.  When looking at "route print" the gateway shows a different IP address other than the Interface IP of the VPN virtual device.  Is there a way to force a change or clear out routes? Example;

  Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.20.10.5    172.20.10.122     20
         10.1.0.0    255.255.255.0      172.20.10.1     172.20.10.59    100
         10.2.0.0    255.255.255.0      172.20.10.1     172.20.10.59    100
     65.216.9.229  255.255.255.255      172.20.10.5    172.20.10.122    100
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link     172.20.10.122    296
  169.254.255.255  255.255.255.255         On-link     172.20.10.122    276
      172.20.10.0    255.255.255.0         On-link     172.20.10.122    276
      172.20.10.0    255.255.255.0         On-link      172.20.10.59    276
      172.20.10.0    255.255.255.0      172.20.10.1     172.20.10.59    100
      172.20.10.6  255.255.255.255         On-link     172.20.10.122    100
     172.20.10.59  255.255.255.255         On-link      172.20.10.59    276
    172.20.10.122  255.255.255.255         On-link     172.20.10.122    276
    172.20.10.122  255.255.255.255      172.20.10.1     172.20.10.59    276
    172.20.10.255  255.255.255.255         On-link     172.20.10.122    276
    172.20.10.255  255.255.255.255         On-link      172.20.10.59    276
    172.20.10.255  255.255.255.255      172.20.10.1     172.20.10.59    276
      172.20.11.0    255.255.255.0      172.20.10.1     172.20.10.59    100
      172.20.21.0    255.255.255.0      172.20.10.1     172.20.10.59    100
      172.20.31.0    255.255.255.0      172.20.10.1     172.20.10.59    100
      172.20.50.0    255.255.255.0      172.20.10.1     172.20.10.59    100
      172.20.51.0    255.255.255.0      172.20.10.1     172.20.10.59    100

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: VPN not routing traffic

There are some group settings for NAT-T, so it makes sense that some clients had the problem but others didn't.  Good to know that another cause of a VPN client routing problem could be related to the absence of NAT-T.  I rated your answer.

18 REPLIES
Silver

Re: VPN not routing traffic

This URL provides information on how to modify static routes on the concentrator.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/iprout.html#wp999578

This URL provides information on how to remove dynamically learned routes.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/rttab.html

HTH

New Member

Re: VPN not routing traffic

Looked at the routing on the concentrator but the issue resides on the client.  The routes on the concentrator are correct.  The

client is not sending traffic out of the interface due to the incorrect gateway, from what I can tell.  I'm looking

for a way to correct the gateway on the client side.

Silver

Re: VPN not routing traffic

I'm thinking that the group you deleted was the group these clients were in, and now they are using the base group?

Are they using split tunneling?

New Member

Re: VPN not routing traffic

Split tunneling is enabled and yes the users were in the group that was deleted.  The profile on the client side has bee

n deleted and recreated and other groups have been tried with the same results.  On another system using the same g

roup the VPN connects and the gateway for the remote access shows the VPN interface IP address and

users are able to access the remote network.  If the gateway for the remote network shows anything other than the VPN interface the

n routing does not work.  I've tried deleting routes and re-adding with no luck.

Silver

Re: VPN not routing traffic

Can you check the order of the Windows adapters?  We've run into some issues when the VPN adapter is not listed first.  HTH

New Member

Re: VPN not routing traffic

VPN adapter is listed first.  I can ping the VPN adapter IP but nothing beyond.  Tracert to anything on the remote network timesout on the first hop.

New Member

Re: VPN not routing traffic

try configuring reverse route in concentrator and check the logs then paste here

Silver

Re: VPN not routing traffic

My best guess is that this problem is related to the split tunnel ACL.  

You can also assign dynamic filters by group or user.  Please check to see whether this is the case.

Please also make sure the IP subnet of central site that you connect to does not cover the IP range subnet of local gateway (for ex: Main off IP 192.168.1.0/24, local gateway 192.168.1.0/24.

It may be with the change to the default group that the address pool for the VPN client has changed.  Please verify that routing to the remote client's network is available within your central site.

New Member

Re: VPN not routing traffic

Do not think it is a Split Tunnel issue as the majority of the users have no issues.  At this time 3 users have a routing issue that I am aware of, two of which were connected when the group was deleted and one was not connected when the group was deleted.  Have re-installed the Cisco client on two of the three users and the routing issue still appears.

Silver

Re: VPN not routing traffic

Are you able to verify the remote clients' address pools?  If the deleted group was assigned its own address pool then these clients will get new addresses.  If they overlap with the concentrator's address it could cause some access problems.

HTH

New Member

Re: VPN not routing traffic

Address pool has been verified for the users and all users use the same pool.  Tested using a different group and address pool with same result, connects but cannot route traffic.

Silver

Re: VPN not routing traffic

Are all of your clients running Vista or is there possibly a difference between the Vista and non-Vista clients' results?

New Member

Re: VPN not routing traffic

Have users with XP, Vista and 7 that are having this issue.  Have disabled local firewalls with same results.

Silver

Re: VPN not routing traffic

The concentrator will save a backup configuration file every time you save the configuration.  Do you possibly have the backup file that could be used to determine the settings for the deleted group?

My other question is, I haven't worked with Vista before, but does the output of the route print indicate that this PC has dual NICs?

Cisco Employee

Re: VPN not routing traffic

Agree with the previous poster, check the backup of the config and compare the group settings.

Also: you say all users are using the same pool, but is it the same pool as before (when everything was working ok) ?

Can you also please get:

- "ipconfig -a" and  "route print" before and after connecting

- client logs at level 15 (make sure the client is not running, edit the vpnclient.ini file, set the log levels to 15, save the file, start the client, do not edit the log levels in the GUI)

New Member

Re: VPN not routing traffic

Do not have the original config prior to the group be deleted.  I'm starting to think it's an issue of routing between the VPN Virtual adapter and the NIC since the user can connect and the issue is not widespread but only affecting a few users.  Will get the route print and ipconfig print outs later today and post.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.10       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.10    192.168.1.10       20
     192.168.1.10  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.10    192.168.1.10       20
        224.0.0.0        240.0.0.0     192.168.1.10    192.168.1.10       20
  255.255.255.255  255.255.255.255     192.168.1.10    192.168.1.10       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:


Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.10       20
         10.1.0.0    255.255.255.0     172.20.10.62    172.20.10.62       1
         10.2.0.0    255.255.255.0     172.20.10.62    172.20.10.62       1
     65.216.9.229  255.255.255.255      192.168.1.1    192.168.1.10       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      172.20.10.0    255.255.255.0     172.20.10.62    172.20.10.62       1
     172.20.10.62  255.255.255.255        127.0.0.1       127.0.0.1       20
      172.20.11.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.21.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.31.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.50.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.51.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.60.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.61.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.70.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.71.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.81.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.91.0    255.255.255.0     172.20.10.62    172.20.10.62       1
   172.20.255.255  255.255.255.255     172.20.10.62    172.20.10.62       20
      192.168.1.0    255.255.255.0     192.168.1.10    192.168.1.10       20
      192.168.1.1  255.255.255.255     192.168.1.10    192.168.1.10       1
     192.168.1.10  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.10    192.168.1.10       20
        224.0.0.0        240.0.0.0     172.20.10.62    172.20.10.62       20
        224.0.0.0        240.0.0.0     192.168.1.10    192.168.1.10       20
  255.255.255.255  255.255.255.255     172.20.10.62    172.20.10.62       1
  255.255.255.255  255.255.255.255     192.168.1.10    192.168.1.10       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\jmcclanahan>route print

New Member

Re: VPN not routing traffic

Update: issue was related to NAT-T.  Not sure if something happend when the group was deleted but enabling NAT-T resolved the routing problem for the users who were not able to route traffic.

Silver

Re: VPN not routing traffic

There are some group settings for NAT-T, so it makes sense that some clients had the problem but others didn't.  Good to know that another cause of a VPN client routing problem could be related to the absence of NAT-T.  I rated your answer.

1492
Views
5
Helpful
18
Replies
CreatePlease to create content