asked on Remote Access VPN - Odd Routing Issue
I have a single user having an issue connecting from their house via the Cisco VPN Client to our corporate network which has an ASA 5510 head end.
Her local subnet is 192.168.1.0/24 and she connects fine and obtains an IP address in the address block reserved for remote access clients, however there is no communication over the link though TX and RX show data moving.
If I do a traceroute from her computer to the corporate network, I see real oddities (attached). I also attached her routing table which looks good.
The only gotcha I can think of, though it shouldn't make a difference to my knowledge, is that we also have a site-to-site VPN tunnel that connects to a 192.168.1.0/24 subnet, but since remote access clients grab from their own DHCP pool, I don't think this should matter?
Any ideas on this?
traceroute.PNG
routing-table.PNG
Her local subnet is 192.168.1.0/24 and she connects fine and obtains an IP address in the address block reserved for remote access clients, however there is no communication over the link though TX and RX show data moving.
If I do a traceroute from her computer to the corporate network, I see real oddities (attached). I also attached her routing table which looks good.
The only gotcha I can think of, though it shouldn't make a difference to my knowledge, is that we also have a site-to-site VPN tunnel that connects to a 192.168.1.0/24 subnet, but since remote access clients grab from their own DHCP pool, I don't think this should matter?
Any ideas on this?
traceroute.PNG
routing-table.PNG
CiscoVPNInternet Protocol Security
Last Comment
Tercestisi
Is the 172.30.11.x network the one used for 192.168.1.0 in the site-2-site connection? And what is 10.141.78.1?
First hop should be 10.1.201.1 not 192.168.1.1. Can you adjust the metric for the routed vpn networks to be less than the default route?
ASKER
That's what I'm wondering Qlemo... none of those networks are used anywhere within our corporate network that does span about 50 subnets. Very odd...
Good idea djcanter, though the routing table shows which hop to contact for that route... that should take precedence over a metic.
Good idea djcanter, though the routing table shows which hop to contact for that route... that should take precedence over a metic.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Routing table should look like below with tunnel routes lower metric than default gateway:
Other sites have reported enabling NAT-T may resolve this
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 20
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 20
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 20
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
10.1.0.0 255.255.255.0 172.20.10.62 172.20.10.62 1
10.2.0.0 255.255.255.0 172.20.10.62 172.20.10.62 1
65.216.9.229 255.255.255.255 192.168.1.1 192.168.1.10 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.20.10.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.10.62 255.255.255.255 127.0.0.1 127.0.0.1 20
172.20.11.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.21.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.31.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.50.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.51.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.60.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.61.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.70.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.71.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.81.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.91.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.255.255 255.255.255.255 172.20.10.62 172.20.10.62 20
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 20
192.168.1.1 255.255.255.255 192.168.1.10 192.168.1.10 1
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 20
224.0.0.0 240.0.0.0 172.20.10.62 172.20.10.62 20
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 20
255.255.255.255 255.255.255.255 172.20.10.62 172.20.10.62 1
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1
Other sites have reported enabling NAT-T may resolve this
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 20
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 20
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 20
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 20
10.1.0.0 255.255.255.0 172.20.10.62 172.20.10.62 1
10.2.0.0 255.255.255.0 172.20.10.62 172.20.10.62 1
65.216.9.229 255.255.255.255 192.168.1.1 192.168.1.10 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.20.10.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.10.62 255.255.255.255 127.0.0.1 127.0.0.1 20
172.20.11.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.21.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.31.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.50.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.51.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.60.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.61.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.70.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.71.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.81.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.91.0 255.255.255.0 172.20.10.62 172.20.10.62 1
172.20.255.255 255.255.255.255 172.20.10.62 172.20.10.62 20
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 20
192.168.1.1 255.255.255.255 192.168.1.10 192.168.1.10 1
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 20
224.0.0.0 240.0.0.0 172.20.10.62 172.20.10.62 20
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 20
255.255.255.255 255.255.255.255 172.20.10.62 172.20.10.62 1
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1
SOLUTION
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Were you able to get issue resolved by adjusting route metric ?
If so, please close question as answered and award points.
If so, please close question as answered and award points.
ASKER
Issue not resolved as I didn't hear back from user, and don't expect to unless the next big snow storm when they need to work from home again; awarded points anyhow.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.