Solved

Cisco remote access VPN Client error: AddRoute failed to add a route: code 5010

Posted on 2008-09-30
6
4,187 Views
Last Modified: 2012-05-05
I am attempting to set up a remote access vpn on a cisco 5510 ASA.
I am running the cisco 5.0.3.0560 vpn client on vista.
The VPN connects and I have access to the network however it takes about a minute to connect and I am getting the following errors in the log on the vpn client. I need someone to explain why I am getting these error messages and how I can fix them. Also I dont understand the default gateway for the vpn clients. Where is this value set? At the moment the clients are assigned an address from a local pool 10.0.5.2 - 10.0.5.20 and the default gateway on these clients is set to 10.0.5.1. Where does this gateway exist?

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000

8      10:12:06.972  10/01/08  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 5010
      Destination      0.0.0.0
      Netmask      0.0.0.0
      Gateway      10.0.5.1
      Interface      10.0.5.2

9      10:12:06.972  10/01/08  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a000502, Gateway: a000501.

10     10:12:06.972  10/01/08  Sev=Warning/2      CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168

11     10:12:06.972  10/01/08  Sev=Warning/2      CM/0xA3100025
Unable to delete route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80102, Gateway: c0a80102.

Here are some show commands from the ASA for troubleshooting.

ciscoasa# show run crypto
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20


ciscoasa# show run tunnel-group
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
 pre-shared-key *


ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES manual up                    up
Ethernet0/1                10.0.6.1        YES manual down                  down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Management0/0              unassigned      YES unset  administratively down down

ciscoasa#sh route

0
Comment
Question by:rgoggins
  • 3
  • 3
6 Comments
 
LVL 1

Author Comment

by:rgoggins
ID: 22610992
Here is the ASA config.

 
ciscoasa# show run
 
ASA Version 7.2(1)
!
hostname ciscoasa
enable password 
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.6.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.5.2-10.0.5.10 mask 255.255.255.0
no failover
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled
route inside 0.0.0.0 0.0.0.0 10.0.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy SecureMeGrp internal
username luke password YjHxA4FLXiCu2Hvu encrypted
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac18c472842b5219e88f5e2bb634d8d1
: end

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22615662
How are you getting to it at all when the default route is inside to a non-existent gateway?

With a private IP on the outside, I can only assume that this is in a lab/test environment?
>Ethernet0/1                10.0.6.1        YES manual down                  down
There is nothing plugged into the inside interface? You need something plugged into it to get the interface to come up and to have something on the 10.0.6.x network to ping through the VPN to test it.

Remove this:
 no route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled

Add this:
 access-list nonat permit ip any 10.0.5.0 255.255.255.0
 nat (inside) 0 access-list nonat
 
0
 
LVL 1

Author Comment

by:rgoggins
ID: 22620390
Hi Genius,

Thanks for that, I made the changes as you suggested and also updated to the latest version of the VPN client (just came out yesterday) and everything seems to be working fine. You are correct this is a test environment.

So once the client is connected and has an ip address from the pool 10.0.5.x - x pool. Where does this sit in relation to access lists? i.e will traffic from the 10.0.5.x vpn host hit the inside access in list? or is it inside the ASA and will only hit outbound access lists?

Thanks for your help.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22620524
The VPN client will be "outside" but will bypass all acls applied to the outside interface. It will still be beholden to the acls applied to the inside interface that could block traffic to it from inside hosts.
0
 
LVL 1

Author Comment

by:rgoggins
ID: 22620718
Thanks,
just on a side note,  how do I restrict certain traffic from the vpn client 10.0.5.x to the internal network.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22621101
Upgrade to 8.0 / ASDM 6.13 and you will get several options to restrict vpn client access with Dynamic Access Policies, and a nice GUI to walk you through it.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius Debug Error 16 92
NAS with google authentication 6 100
Dell Powerconnect Switch lost username/password 2 42
Sonicwall guest user accounts 2 10
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question