Remote Access VPN - Odd Routing Issue

COURSE of the MONTH

10 days, 17 hours left to enroll

View August's Free Course

Become a Premium Member and unlock a new, free course in leading technologies each month.

I have a single user having an issue connecting from their house via the Cisco VPN Client to our corporate network which has an ASA 5510 head end.

Her local subnet is 192.168.1.0/24 and she connects fine and obtains an IP address in the address block reserved for remote access clients, however there is no communication over the link though TX and RX show data moving.

If I do a traceroute from her computer to the corporate network, I see real oddities (attached). I also attached her routing table which looks good.

The only gotcha I can think of, though it shouldn't make a difference to my knowledge, is that we also have a site-to-site VPN tunnel that connects to a 192.168.1.0/24 subnet, but since remote access clients grab from their own DHCP pool, I don't think this should matter?

Any ideas on this?
traceroute.PNG
routing-table.PNG

Is the 172.30.11.x network the one used for 192.168.1.0 in the site-2-site connection? And what is 10.141.78.1?

First hop should be 10.1.201.1 not 192.168.1.1. Can you adjust the metric for the routed vpn networks to be less than the default route?

That's what I'm wondering Qlemo... none of those networks are used anywhere within our corporate network that does span about 50 subnets. Very odd...

Good idea djcanter, though the routing table shows which hop to contact for that route... that should take precedence over a metic.

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Your traffic egressing the 192.168.1.1 gateway is hopping on the ISPs private routed network. Clearly they shouldnt allow this....

Routing table should look like below with tunnel routes lower metric than default gateway:
Other sites have reported enabling NAT-T may resolve this

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 20
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 20
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 20
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
10.1.0.0 255.255.255.0 172.20.10.62 172.20.10.62 1
10.2.0.0 255.255.255.0 172.20.10.62 172.20.10.62 1
65.216.9.229 255.255.255.255 192.168.1.1 192.168.1.10 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.20.10.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.10.62 255.255.255.255 127.0.0.1 127.0.0.1 20
172.20.11.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.21.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.31.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.50.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.51.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.60.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.61.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.70.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.71.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.81.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.91.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.255.255 255.255.255.255 172.20.10.62 172.20.10.62 20
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 20
192.168.1.1 255.255.255.255 192.168.1.10 192.168.1.10 1
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 20
224.0.0.0 240.0.0.0 172.20.10.62 172.20.10.62 20
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 20
255.255.255.255 255.255.255.255 172.20.10.62 172.20.10.62 1
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1

Try this:
https://supportforums.cisco.com/thread/2084929

Workaround 2, changing metric of wired/wireless adapter not vpn client.

Were you able to get issue resolved by adjusting route metric ?
If so, please close question as answered and award points.

Issue not resolved as I didn't hear back from user, and don't expect to unless the next big snow storm when they need to work from home again; awarded points anyhow.

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

8 Comments

LVL 70

Expert Comment

by:Qlemo

ID: 387104692012-12-20

LVL 10

by:djcanter

ID: 387105702012-12-20

Author Comment

by:Tercestisi

ID: 387106002012-12-20

Accepted Solution

djcanter earned 2000 total points

ID: 387106112012-12-20

ID: 387106722012-12-20

Assisted Solution

ID: 387107022012-12-20

ID: 387213912012-12-26

Author Closing Comment

ID: 387214942012-12-26

COURSE of the MONTH

Remote Access VPN - Odd Routing Issue

Welcome to Experts Exchange

Featured Post

Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Enjoyed your answer?

Keep in touch with Experts Exchange

Live Consultants