Solved

Cisco remote access VPN Client error: AddRoute failed to add a route: code 5010

Posted on 2008-09-30
6
4,164 Views
Last Modified: 2012-05-05
I am attempting to set up a remote access vpn on a cisco 5510 ASA.
I am running the cisco 5.0.3.0560 vpn client on vista.
The VPN connects and I have access to the network however it takes about a minute to connect and I am getting the following errors in the log on the vpn client. I need someone to explain why I am getting these error messages and how I can fix them. Also I dont understand the default gateway for the vpn clients. Where is this value set? At the moment the clients are assigned an address from a local pool 10.0.5.2 - 10.0.5.20 and the default gateway on these clients is set to 10.0.5.1. Where does this gateway exist?

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000

8      10:12:06.972  10/01/08  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 5010
      Destination      0.0.0.0
      Netmask      0.0.0.0
      Gateway      10.0.5.1
      Interface      10.0.5.2

9      10:12:06.972  10/01/08  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a000502, Gateway: a000501.

10     10:12:06.972  10/01/08  Sev=Warning/2      CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168

11     10:12:06.972  10/01/08  Sev=Warning/2      CM/0xA3100025
Unable to delete route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80102, Gateway: c0a80102.

Here are some show commands from the ASA for troubleshooting.

ciscoasa# show run crypto
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20


ciscoasa# show run tunnel-group
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
 pre-shared-key *


ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES manual up                    up
Ethernet0/1                10.0.6.1        YES manual down                  down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Management0/0              unassigned      YES unset  administratively down down

ciscoasa#sh route

0
Comment
Question by:rgoggins
  • 3
  • 3
6 Comments
 
LVL 1

Author Comment

by:rgoggins
ID: 22610992
Here is the ASA config.

 

ciscoasa# show run
 

ASA Version 7.2(1)

!

hostname ciscoasa

enable password 

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.0.6.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 10.0.5.2-10.0.5.10 mask 255.255.255.0

no failover

no asdm history enable

arp timeout 14400

route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled

route inside 0.0.0.0 0.0.0.0 10.0.6.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy SecureMeGrp internal

username luke password YjHxA4FLXiCu2Hvu encrypted

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap

crypto map IPSec_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

tunnel-group ciscovpn type ipsec-ra

tunnel-group ciscovpn general-attributes

 address-pool vpnpool

 default-group-policy SecureMeGrp

tunnel-group ciscovpn ipsec-attributes

 pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ac18c472842b5219e88f5e2bb634d8d1

: end

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22615662
How are you getting to it at all when the default route is inside to a non-existent gateway?

With a private IP on the outside, I can only assume that this is in a lab/test environment?
>Ethernet0/1                10.0.6.1        YES manual down                  down
There is nothing plugged into the inside interface? You need something plugged into it to get the interface to come up and to have something on the 10.0.6.x network to ping through the VPN to test it.

Remove this:
 no route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled

Add this:
 access-list nonat permit ip any 10.0.5.0 255.255.255.0
 nat (inside) 0 access-list nonat
 
0
 
LVL 1

Author Comment

by:rgoggins
ID: 22620390
Hi Genius,

Thanks for that, I made the changes as you suggested and also updated to the latest version of the VPN client (just came out yesterday) and everything seems to be working fine. You are correct this is a test environment.

So once the client is connected and has an ip address from the pool 10.0.5.x - x pool. Where does this sit in relation to access lists? i.e will traffic from the 10.0.5.x vpn host hit the inside access in list? or is it inside the ASA and will only hit outbound access lists?

Thanks for your help.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22620524
The VPN client will be "outside" but will bypass all acls applied to the outside interface. It will still be beholden to the acls applied to the inside interface that could block traffic to it from inside hosts.
0
 
LVL 1

Author Comment

by:rgoggins
ID: 22620718
Thanks,
just on a side note,  how do I restrict certain traffic from the vpn client 10.0.5.x to the internal network.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22621101
Upgrade to 8.0 / ASDM 6.13 and you will get several options to restrict vpn client access with Dynamic Access Policies, and a nice GUI to walk you through it.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now