• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4388
  • Last Modified:

Cisco remote access VPN Client error: AddRoute failed to add a route: code 5010

I am attempting to set up a remote access vpn on a cisco 5510 ASA.
I am running the cisco 5.0.3.0560 vpn client on vista.
The VPN connects and I have access to the network however it takes about a minute to connect and I am getting the following errors in the log on the vpn client. I need someone to explain why I am getting these error messages and how I can fix them. Also I dont understand the default gateway for the vpn clients. Where is this value set? At the moment the clients are assigned an address from a local pool 10.0.5.2 - 10.0.5.20 and the default gateway on these clients is set to 10.0.5.1. Where does this gateway exist?

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000

8      10:12:06.972  10/01/08  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 5010
      Destination      0.0.0.0
      Netmask      0.0.0.0
      Gateway      10.0.5.1
      Interface      10.0.5.2

9      10:12:06.972  10/01/08  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a000502, Gateway: a000501.

10     10:12:06.972  10/01/08  Sev=Warning/2      CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168

11     10:12:06.972  10/01/08  Sev=Warning/2      CM/0xA3100025
Unable to delete route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80102, Gateway: c0a80102.

Here are some show commands from the ASA for troubleshooting.

ciscoasa# show run crypto
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20


ciscoasa# show run tunnel-group
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
 pre-shared-key *


ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES manual up                    up
Ethernet0/1                10.0.6.1        YES manual down                  down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Management0/0              unassigned      YES unset  administratively down down

ciscoasa#sh route

0
rgoggins
Asked:
rgoggins
  • 3
  • 3
1 Solution
 
rgogginsAuthor Commented:
Here is the ASA config.

 
ciscoasa# show run
 
ASA Version 7.2(1)
!
hostname ciscoasa
enable password 
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.6.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.5.2-10.0.5.10 mask 255.255.255.0
no failover
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled
route inside 0.0.0.0 0.0.0.0 10.0.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy SecureMeGrp internal
username luke password YjHxA4FLXiCu2Hvu encrypted
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy SecureMeGrp
tunnel-group ciscovpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac18c472842b5219e88f5e2bb634d8d1
: end

Open in new window

0
 
lrmooreCommented:
How are you getting to it at all when the default route is inside to a non-existent gateway?

With a private IP on the outside, I can only assume that this is in a lab/test environment?
>Ethernet0/1                10.0.6.1        YES manual down                  down
There is nothing plugged into the inside interface? You need something plugged into it to get the interface to come up and to have something on the 10.0.6.x network to ping through the VPN to test it.

Remove this:
 no route inside 0.0.0.0 0.0.0.0 10.0.5.55 tunneled

Add this:
 access-list nonat permit ip any 10.0.5.0 255.255.255.0
 nat (inside) 0 access-list nonat
 
0
 
rgogginsAuthor Commented:
Hi Genius,

Thanks for that, I made the changes as you suggested and also updated to the latest version of the VPN client (just came out yesterday) and everything seems to be working fine. You are correct this is a test environment.

So once the client is connected and has an ip address from the pool 10.0.5.x - x pool. Where does this sit in relation to access lists? i.e will traffic from the 10.0.5.x vpn host hit the inside access in list? or is it inside the ASA and will only hit outbound access lists?

Thanks for your help.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
lrmooreCommented:
The VPN client will be "outside" but will bypass all acls applied to the outside interface. It will still be beholden to the acls applied to the inside interface that could block traffic to it from inside hosts.
0
 
rgogginsAuthor Commented:
Thanks,
just on a side note,  how do I restrict certain traffic from the vpn client 10.0.5.x to the internal network.
0
 
lrmooreCommented:
Upgrade to 8.0 / ASDM 6.13 and you will get several options to restrict vpn client access with Dynamic Access Policies, and a nice GUI to walk you through it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now