rgoggins
asked on
Cisco remote access VPN Client error: AddRoute failed to add a route: code 5010
I am attempting to set up a remote access vpn on a cisco 5510 ASA.
I am running the cisco 5.0.3.0560 vpn client on vista.
The VPN connects and I have access to the network however it takes about a minute to connect and I am getting the following errors in the log on the vpn client. I need someone to explain why I am getting these error messages and how I can fix them. Also I dont understand the default gateway for the vpn clients. Where is this value set? At the moment the clients are assigned an address from a local pool 10.0.5.2 - 10.0.5.20 and the default gateway on these clients is set to 10.0.5.1. Where does this gateway exist?
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
8 10:12:06.972 10/01/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 5010
Destination 0.0.0.0
Netmask 0.0.0.0
Gateway 10.0.5.1
Interface 10.0.5.2
9 10:12:06.972 10/01/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a000502, Gateway: a000501.
10 10:12:06.972 10/01/08 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168
11 10:12:06.972 10/01/08 Sev=Warning/2 CM/0xA3100025
Unable to delete route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80102, Gateway: c0a80102.
Here are some show commands from the ASA for troubleshooting.
ciscoasa# show run crypto
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
ciscoasa# show run tunnel-group
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
address-pool vpnpool
default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
pre-shared-key *
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.0.6.1 YES manual down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Management0/0 unassigned YES unset administratively down down
ciscoasa#sh route
I am running the cisco 5.0.3.0560 vpn client on vista.
The VPN connects and I have access to the network however it takes about a minute to connect and I am getting the following errors in the log on the vpn client. I need someone to explain why I am getting these error messages and how I can fix them. Also I dont understand the default gateway for the vpn clients. Where is this value set? At the moment the clients are assigned an address from a local pool 10.0.5.2 - 10.0.5.20 and the default gateway on these clients is set to 10.0.5.1. Where does this gateway exist?
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
8 10:12:06.972 10/01/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 5010
Destination 0.0.0.0
Netmask 0.0.0.0
Gateway 10.0.5.1
Interface 10.0.5.2
9 10:12:06.972 10/01/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a000502, Gateway: a000501.
10 10:12:06.972 10/01/08 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168
11 10:12:06.972 10/01/08 Sev=Warning/2 CM/0xA3100025
Unable to delete route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80102, Gateway: c0a80102.
Here are some show commands from the ASA for troubleshooting.
ciscoasa# show run crypto
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
ciscoasa# show run tunnel-group
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
address-pool vpnpool
default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
pre-shared-key *
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.0.6.1 YES manual down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Management0/0 unassigned YES unset administratively down down
ciscoasa#sh route
How are you getting to it at all when the default route is inside to a non-existent gateway?
With a private IP on the outside, I can only assume that this is in a lab/test environment?
>Ethernet0/1 10.0.6.1 YES manual down down
There is nothing plugged into the inside interface? You need something plugged into it to get the interface to come up and to have something on the 10.0.6.x network to ping through the VPN to test it.
Remove this:
no route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled
Add this:
access-list nonat permit ip any 10.0.5.0 255.255.255.0
nat (inside) 0 access-list nonat
With a private IP on the outside, I can only assume that this is in a lab/test environment?
>Ethernet0/1 10.0.6.1 YES manual down down
There is nothing plugged into the inside interface? You need something plugged into it to get the interface to come up and to have something on the 10.0.6.x network to ping through the VPN to test it.
Remove this:
no route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled
Add this:
access-list nonat permit ip any 10.0.5.0 255.255.255.0
nat (inside) 0 access-list nonat
ASKER
Hi Genius,
Thanks for that, I made the changes as you suggested and also updated to the latest version of the VPN client (just came out yesterday) and everything seems to be working fine. You are correct this is a test environment.
So once the client is connected and has an ip address from the pool 10.0.5.x - x pool. Where does this sit in relation to access lists? i.e will traffic from the 10.0.5.x vpn host hit the inside access in list? or is it inside the ASA and will only hit outbound access lists?
Thanks for your help.
Thanks for that, I made the changes as you suggested and also updated to the latest version of the VPN client (just came out yesterday) and everything seems to be working fine. You are correct this is a test environment.
So once the client is connected and has an ip address from the pool 10.0.5.x - x pool. Where does this sit in relation to access lists? i.e will traffic from the 10.0.5.x vpn host hit the inside access in list? or is it inside the ASA and will only hit outbound access lists?
Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks,
just on a side note, how do I restrict certain traffic from the vpn client 10.0.5.x to the internal network.
just on a side note, how do I restrict certain traffic from the vpn client 10.0.5.x to the internal network.
Upgrade to 8.0 / ASDM 6.13 and you will get several options to restrict vpn client access with Dynamic Access Policies, and a nice GUI to walk you through it.
ASKER
Open in new window