Solved

Remote Access VPN - Odd Routing Issue

Posted on 2012-12-20
8
445 Views
Last Modified: 2012-12-26
I have a single user having an issue connecting from their house via the Cisco VPN Client to our corporate network which has an ASA 5510 head end.

Her local subnet is 192.168.1.0/24 and she connects fine and obtains an IP address in the address block reserved for remote access clients, however there is no communication over the link though TX and RX show data moving.

If I do a traceroute from her computer to the corporate network, I see real oddities (attached). I also attached her routing table which looks good.

The only gotcha I can think of, though it shouldn't make a difference to my knowledge, is that we also have a site-to-site VPN tunnel that connects to a 192.168.1.0/24 subnet, but since remote access clients grab from their own DHCP pool, I don't think this should matter?

Any ideas on this?
traceroute.PNG
routing-table.PNG
0
Comment
Question by:Tercestisi
  • 5
  • 2
8 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 38710469
Is the 172.30.11.x network the one used for 192.168.1.0 in the site-2-site connection? And what is 10.141.78.1?
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38710570
First hop should be 10.1.201.1 not 192.168.1.1.  Can you adjust the metric for the routed vpn networks to be less than the default route?
0
 

Author Comment

by:Tercestisi
ID: 38710600
That's what I'm wondering Qlemo... none of those networks are used anywhere within our corporate network that does span about 50 subnets. Very odd...

Good idea djcanter, though the routing table shows which hop to contact for that route... that should take precedence over a metic.
0
 
LVL 10

Accepted Solution

by:
djcanter earned 500 total points
ID: 38710611
Your traffic egressing the 192.168.1.1 gateway is hopping on the ISPs private routed network. Clearly they shouldnt allow this....
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Expert Comment

by:djcanter
ID: 38710672
Routing table should look like below with tunnel routes lower metric than default gateway:
Other sites have reported enabling NAT-T may resolve this

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.10       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.10    192.168.1.10       20
     192.168.1.10  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.10    192.168.1.10       20
        224.0.0.0        240.0.0.0     192.168.1.10    192.168.1.10       20
  255.255.255.255  255.255.255.255     192.168.1.10    192.168.1.10       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:


Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.10       20
         10.1.0.0    255.255.255.0     172.20.10.62    172.20.10.62       1
         10.2.0.0    255.255.255.0     172.20.10.62    172.20.10.62       1
     65.216.9.229  255.255.255.255      192.168.1.1    192.168.1.10       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      172.20.10.0    255.255.255.0     172.20.10.62    172.20.10.62       1
     172.20.10.62  255.255.255.255        127.0.0.1       127.0.0.1       20
      172.20.11.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.21.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.31.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.50.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.51.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.60.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.61.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.70.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.71.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.81.0    255.255.255.0     172.20.10.62    172.20.10.62       1
      172.20.91.0    255.255.255.0     172.20.10.62    172.20.10.62       1
   172.20.255.255  255.255.255.255     172.20.10.62    172.20.10.62       20
      192.168.1.0    255.255.255.0     192.168.1.10    192.168.1.10       20
      192.168.1.1  255.255.255.255     192.168.1.10    192.168.1.10       1
     192.168.1.10  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.10    192.168.1.10       20
        224.0.0.0        240.0.0.0     172.20.10.62    172.20.10.62       20
        224.0.0.0        240.0.0.0     192.168.1.10    192.168.1.10       20
  255.255.255.255  255.255.255.255     172.20.10.62    172.20.10.62       1
  255.255.255.255  255.255.255.255     192.168.1.10    192.168.1.10       1
Default Gateway:       192.168.1.1
0
 
LVL 10

Assisted Solution

by:djcanter
djcanter earned 500 total points
ID: 38710702
Try this:
https://supportforums.cisco.com/thread/2084929

Workaround 2, changing metric of wired/wireless adapter not vpn client.
0
 
LVL 10

Expert Comment

by:djcanter
ID: 38721391
Were you able to get issue resolved by adjusting route metric ?
If so, please close question as answered and award points.
0
 

Author Closing Comment

by:Tercestisi
ID: 38721494
Issue not resolved as I didn't hear back from user, and don't expect to unless the next big snow storm when they need to work from home again; awarded points anyhow.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now