VPN Clients getting different default gateways

Similar Messages

• Remote access VPN client gets connected fails on hosts in LAN

  Hi,
  VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

  Hi Mashal,
  Thanks for your time,
  VPN Pool(Client) 192.168.100.0/24
  Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
  =============
  On the Switch
  =============
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 192.168.2.5 to network 0.0.0.0
       172.32.0.0/24 is subnetted, 1 subnets
  C       172.32.0.0 is directly connected, Vlan101
  C    192.168.200.0/24 is directly connected, Vlan2000
  C    192.9.200.0/24 is directly connected, Vlan4000
  S    192.168.250.0/24 [1/0] via 192.9.200.125
  S    192.168.1.0/24 [1/0] via 192.9.200.125
  C    192.168.2.0/24 is directly connected, Vlan1000
  S    192.168.252.0/24 [1/0] via 192.9.200.125
  S*   0.0.0.0/0 [1/0] via 192.168.2.5
  ===============
  On ASA
  ===============
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 172.32.0.2 to network 0.0.0.0
  C    172.32.0.0 255.255.255.0 is directly connected, outside
  C    192.9.200.0 255.255.255.0 is directly connected, inside
  C    192.168.168.0 255.255.255.0 is directly connected, failover
  C    192.168.2.0 255.255.255.0 is directly connected, MGMT
  S    192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
  S    192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
  S*   0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
  We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route  on the being pointing to on the switch.
  So we are left to do with how to on the switch with default route.

• How to setup default gateway in a DHCP client. The default gateway will be the Ip address of the server that has RRAS installed, hence routing cabalities.

  How to setup default gateway in a DHCP client. The default gateway will be the Ip address of the server that has RRAS installed, hence routing cabalities.

  Hi Bill,
  Thank you for replying back...Yes, I was actually asking how do you set the default gateway address on the DHCP server?,
  I believe I got the answer below:
  To configure the DHCP default gateway option Click Start, point to Administrative Tools and then click DHCP. In the console tree, expand the applicable DHCP server, expand IPv4, and then right-click Scope Options Click Configure Options, check 003
  Router, type the applicable Server name and IP address, and then click OK.
  Thank you

• Remote access VPN client gets connected no access to LAN

  : Saved
  ASA Version 8.6(1)2
  hostname COL-ASA-01
  domain-name dr.test.net
  enable password i/RAo1iZPOnp/BK7 encrypted
  passwd i/RAo1iZPOnp/BK7 encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 172.32.0.11 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.9.200.126 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif failover
  security-level 0
  ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2
  interface Management0/0
  nameif management
  security-level 0
  ip address 192.168.2.11 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dr.test.net
  object network RAVPN
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_192.168.200.0_24
  subnet 192.168.200.0 255.255.255.0
  object network NETWORK_OBJ_192.9.200.0_24
  subnet 192.9.200.0 255.255.255.0
  object-group network inside_network
  network-object 192.9.200.0 255.255.255.0
  object-group network Outside
  network-object host 172.32.0.25
  access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
  access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190
  access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1
  access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0
  access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24
  pager lines 24
  mtu management 1500
  mtu outside 1500
  mtu inside 1500
  mtu failover 1500
  ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
  route outside 0.0.0.0 0.0.0.0 172.32.0.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US
  crl configure
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.9.200.0 255.255.255.0 inside
  telnet timeout 30
  ssh 0.0.0.0 0.0.0.0 management
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 66.35.45.128 255.255.255.192 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 30
  ssh version 2
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  group-policy RAVPN internal
  group-policy RAVPN attributes
  wins-server value 192.9.200.164
  dns-server value 66.35.46.84 66.35.47.12
  vpn-filter value test123
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test123
  default-domain value dr.kligerweiss.net
  username test password xxxxxxx encrypted
  username admin password aaaaaaaaaaaa encrypted privilege 15
  username vpntest password ddddddddddd encrypted
  tunnel-group RAVPN type remote-access
  tunnel-group RAVPN general-attributes
  address-pool RAVPN
  default-group-policy RAVPN
  tunnel-group RAVPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 2
    subscribe-to-alert-group configuration periodic monthly 2
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea
  : end
  COL-ASA-01#
  Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface
  COL-ASA-01# sho cap test | in 192.168.200
  25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request
    29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137:  udp 68
    38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137:  udp 68
    56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137:  udp 68
    69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request
    98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request
    99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137:  udp 68
  108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137:  udp 68
  115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137:  udp 68
  116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request
  COL-ASA-01#
  Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.
  And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...

  Hi,
  The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.
  You could try the following changes
  tunnel-group RAVPN general-attributes
    no address-pool RAVPN
  no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
  ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0
  tunnel-group RAVPN general-attributes
    address-pool RAVPN
  no nat  (any,inside) source static NETWORK_OBJ_192.168.200.0_24  NETWORK_OBJ_192.168.200.0_24 destination static  NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
  In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.
  object network LAN
  subnet 192.168.200.0 255.255.255.0
  object network VPN-POOL
  subnet 192.168.201.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
  The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.
  You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.
  no nat (inside,outside) source dynamic any interface
  nat (inside,outside) after-auto source dynamic any interface
  NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users
  Hope this helps
  Let me know if it works for you
  - Jouni

• VPN client get connect but Request Timed out when ping

  Hi, I'm using the cisco 837 router as my VPN server. I get  connected using Cisco VPN Client Version 5. But when I ping the router  ip, i get request timed out. Here is my configuration :
  Building configuration...
  Current configuration : 3704 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname michael
  boot-start-marker
  boot-end-marker
  memory-size iomem 5
  no logging console
  enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa session-id common
  resource policy
  ip subnet-zero
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1
  ip dhcp pool michael
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 202.134.0.155
  ip dhcp pool excluded-address
     host 192.168.1.4 255.255.255.0
     hardware-address 01c8.d719.957a.b9
  ip cef
  ip name-server 202.134.0.155
  ip name-server 203.130.193.74
  vpdn enable
  username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f.
  username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp xauth timeout 15
  crypto isakmp client configuration group michaelvpn
  key vpnpassword
  pool SDM_POOL_1
  acl 199
  netmask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SDM_DYNMAP_1 1
  set transform-set ESP-3DES-SHA
  crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
  crypto map SDM_CMAP_1 client configuration address respond
  crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
  interface Ethernet0
  description $FW_INSIDE$
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  hold-queue 100 out
  interface Ethernet2
  no ip address
  shutdown
  hold-queue 100 out
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
  pvc 0/35
    pppoe-client dial-pool-number 1
  interface FastEthernet1
  duplex auto
  speed auto
  interface FastEthernet2
  duplex auto
  speed auto
  interface FastEthernet3
  duplex auto
  speed auto
  interface FastEthernet4
  duplex auto
  speed auto
  interface Virtual-PPP1
  no ip address
  interface Dialer1
  description $FW_OUTSIDE$
  mtu 1492
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  ppp chap hostname ispusername
  ppp chap password 0 isppassword
  ppp pap sent-username ispusername password 0 isppassword
  crypto map SDM_CMAP_1
  ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
  ip classless
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  no ip http secure-server
  ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723
  ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  access-list 1 remark SDM_ACL Category=16
  access-list 1 permit 192.0.0.0 0.255.255.255
  access-list 102 remark SDM_ACL Category=2
  access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 102 permit ip 192.168.1.0 0.0.0.255 any
  access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  route-map SDM_RMAP_1 permit 1
  match ip address 102
  control-plane
  banner motd ^C
  Authorized Access Only
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
  You must have explicit permission to access this device.
  All activities performed on this device are logged.
  Any violations of access policy will result in disciplinary action.
  ^C
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  scheduler max-task-time 5000
  end
  Thank you, anny help will be appreciated.

  Thank you for your response, here is the debug :
  Log Buffer (4096 bytes):
    1 15:19:47.011: ISAKMP: set new node 856647599 to QM_IDLE     
  May  1 15:19:47.015: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
       spi 2182802952, message ID = 856647599
  May  1 15:19:47.015: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8A
  May  1 15:19:47.015: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE     
  May  1 15:19:47.019: ISAKMP:(0:8:SW:1):purging node 856647599
  May  1 15:19:47.019: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  May  1 15:19:47.019: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  May  1 15:19:49.979: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B4F274, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:49.983: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B4F274, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:58.383: ISAKMP (0:134217736): received packet from 120.168.1.24 dport 4500 sport 52667 Global (R) QM_IDLE     
  May  1 15:19:58.383: ISAKMP: set new node -1340288848 to QM_IDLE     
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1): processing HASH payload. message ID = -1340288848
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
       spi 0, message ID = -1340288848, sa = 81A7DCEC
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1):deleting node -1340288848 error FALSE reason "Informational (in) state 1"
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  May  1 15:19:58.391: ISAKMP:(0:8:SW:1):DPD/R_U_THERE received from peer 120.168.1.24, sequence 0xA3285B8B
  May  1 15:19:58.391: ISAKMP: set new node -752454119 to QM_IDLE     
  May  1 15:19:58.395: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
       spi 2182802952, message ID = -752454119
  May  1 15:19:58.395: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8B
  May  1 15:19:58.395: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE     
  May  1 15:19:58.399: ISAKMP:(0:8:SW:1):purging node -752454119
  May  1 15:19:58.399: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  May  1 15:19:58.399: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  May  1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81F84148, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81F84148, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  After searching thru the internet, I've found :
  CSCsb46264
  Symptoms: When a dialer interface is configured as an endpoint for a  IPSec+GRE tunnel, tracebacks with bad refcount may be generated.
  Conditions: This symptom is observed on a Cisco 837 when router-generated packets such as routing updates are being switched.
  Is that possible that the root of the problem was that ? Thank you.

• Mac Pro 8 Core two Ethernet to two different Default Gateway  Help!

  Hi, I am trying to take the best out of my MacPro. I have two ADSL connection at home and I would like to have one set of applications i.e. HTML servers and streaming on one external IP address (Ethernet 1) and browsing and other on the second External IP address (Ethernet 2). Both of my routers do NAT and the address the two nics do see are 192.168.x.x,of course the default GW is different.
  Configuring the two NIC with different addresses is not a problem but telling Safari to use one specific Nic and therefore going to "router 1" rather than B is something I am not capable of configuring. Same thing for some third party little servers to reply to requests coming from Internet and threfore responf on "router 2".
  I thought, maybe I can circumnavigate the problem using two users, and having it running concurrently where one was using ETH1 going to Router 1 and the other using ETH2 going to Router 2, but I quickly discovered that if I change the network setup on one user it reflects the same thing on the other user (unless I mi-sconfigured something).
  The last solution I thought was using either PArallel or fusion, create a Virtual Machine in Windows and browse the network throught the Virtual NIC that gets created and that routes the traffic to the default gatewat different from the OSx configuration. This last solution works but it forces me once again to rely on Windows... I am convinced thare is a very easy solution and I don't know what it is and where it is..... if there is an expert out there I would welcome any suggestion (even several) and I am already thanking for the time you are going to spend on my question.
  Thanks and HAPPY 2009!
  Frank

  frank_tp wrote:
  Hi, I am trying to take the best out of my MacPro. I have two ADSL connection at home and I would like to have one set of applications i.e. HTML servers and streaming on one external IP address (Ethernet 1) and browsing and other on the second External IP address (Ethernet 2). Both of my routers do NAT and the address the two nics do see are 192.168.x.x,of course the default GW is different.
  Configuring the two NIC with different addresses is not a problem but telling Safari to use one specific Nic and therefore going to "router 1" rather than B is something I am not capable of configuring. Same thing for some third party little servers to reply to requests coming from Internet and threfore responf on "router 2".
  I thought, maybe I can circumnavigate the problem using two users, and having it running concurrently where one was using ETH1 going to Router 1 and the other using ETH2 going to Router 2, but I quickly discovered that if I change the network setup on one user it reflects the same thing on the other user (unless I mi-sconfigured something).
  The last solution I thought was using either PArallel or fusion, create a Virtual Machine in Windows and browse the network throught the Virtual NIC that gets created and that routes the traffic to the default gatewat different from the OSx configuration. This last solution works but it forces me once again to rely on Windows... I am convinced thare is a very easy solution and I don't know what it is and where it is...
  no, you are wrong. this is impossible. OS X can only use one internet connection at a time. your trick with a virtualization program is probably the only way you can circumvent this.

• Get default gateway address

  Dear all
   i saw a function in TCP library that can get the host address.  but do somebody now how to get the default gateway address ?
  e.g
  IP  192.168.0.4            ( this ip can obtain by get host address function )
  subnet 255.255.255.0
  deault gateway 192.168.0.1
  B.R
  Gerry
  Solved!
  Go to Solution.

  Hey Gerry -
  To get the default gateway, you'll want to use the Win32 IP Helper API.  Unfortunately, this portion of the Win32 API is only available to users of the Full LabWindows/CVI package. 
  To retrive IPV4 information about your network adapters, you can use the function GetAdaptersInfo.  If you need IPV6 information, you'll need to use GetAdaptersAddresses.  I wrote a quick example of using GetAdaptersInfo and attached it, you can see the output below:
  Let me know if you have any questions -
  NickB
  National Instruments
  Attachments:
  DisplayIPInfo.c ‏3 KB

• AnyConnect Secure Mobility Client v3.1.04066 "The VPN client driver encountered an error"

  Hello, I am a software engineer and have been trying to connect to my client's VPN using the AnyConnect Secure Mobility Client (version 3.1.04066) and keep receiving the error "The VPN client driver encountered an error. Please try again or restart your system."
  I am on a Windows 7 system with an intel i7-2670QM cpu. My computer model is an HP Pavilion dv7.
  I have tried uninstalling the software, re-installing it. I've tried restarting my system multiple times through the process. I've checked the registry and made sure the name was setup correctly. I have checked and made sure that the correct services are not enabled. I have also tried what was suggested on the support page and checked the integrity of catroot2 as well as renaming it and regenerating the folder. None of these have been able to fix my problem.
  For information, this is the message history when I try to connect:
  [12/8/2014 8:55:49 AM] Ready to connect.
  [12/8/2014 9:27:19 AM] Contacting vpn.[hostaddressremoved].com.
  [12/8/2014 9:27:22 AM] Please enter your username and password.
  [12/8/2014 9:27:29 AM] User credentials entered.
  [12/8/2014 9:27:30 AM] Please respond to banner.
  [12/8/2014 9:27:31 AM] User accepted banner.
  [12/8/2014 9:27:31 AM] Establishing VPN session...
  [12/8/2014 9:27:32 AM] Checking for profile updates...
  [12/8/2014 9:27:32 AM] Checking for product updates...
  [12/8/2014 9:27:32 AM] Checking for customization updates...
  [12/8/2014 9:27:32 AM] Performing any required updates...
  [12/8/2014 9:27:32 AM] Establishing VPN session...
  [12/8/2014 9:27:32 AM] Establishing VPN - Initiating connection...
  [12/8/2014 9:27:33 AM] Establishing VPN - Examining system...
  [12/8/2014 9:27:33 AM] Establishing VPN - Activating VPN adapter...
  [12/8/2014 9:27:33 AM] Establishing VPN - Attempting to repair VPN adapter...
  [12/8/2014 9:27:33 AM] Disconnect in progress, please wait...
  [12/8/2014 9:28:22 AM] Connection attempt has failed.
  [12/8/2014 9:28:24 AM] Ready to connect.
  I have tried every kind of search I can think of to find any other solutions to try, and I cannot find anything else. Does anyone have any other recommendations of what to try in order to be able to connect to my client?
  -TheJayDude

  Yes, I am sorry to say that several people have seen the same issue.  It seems like the issue is specific to Yosemite and Anyconnect. My very technical staff and I have tried many things.  The default route is missing and the file /var/run/resolv.conf is also missing which means that both the route and DNS server are messed up.  We re-added the default route manually which allows us to ping the servers and even access them via the IP address
  Run the command below before starting the VPN to get the default route
  netstat -nr | grep default
  Then run the following to re-add the default route.
  route add default xxx.xxx.xxx.xxx
  BUT there is no way that I can find to fix the DNS entry. 
  We tried re-adding the DNS entries in the /var/run/resolv.conf  and then restarting the DNS service
  $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist                                                                              
  Password:
  $ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist 
  BUT THIS DOES NOT WORK!
  If anyone can help us solve the DNS issue, at least we have a work-around for our technical people until Cisco and/or Apple can resolve it.
  Here is a link to the same issue at Cisco.
  https://supportforums.cisco.com/discussion/12334071/cisco-anyconnect-secure-mobi lity-client-os-x-yosemite-vpn-not-working-if-mac

• AAA static IP address for RA VPN Client

  Hi,
  my vpn group and VPN POOL  is locally created in Cisco VPN router but users are authenticated through ACS, AAA server via TACACS. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.
  My router is configured for TACACS+. I have checked the user configuration in AAA server to get the static ip address but it is not working. Please help me out how to do this. I cant change Router to Radius but this is my main router which is configured for 160 sites through ISDN and these sites also configured for TACACS+.
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2 
  crypto isakmp client configuration group Aviation-VPN
  key egntosc
  pool aviation-pool
  acl avi-tunnel
  save-password
  netmask 255.255.255.0
  crypto isakmp profile vpnclient
     match identity group Aviation-VPN
     client authentication list default
     isakmp authorization list Aviation-authorization
     client configuration address respond
  crypto ipsec transform-set aviset esp-3des esp-sha-hmac
  crypto dynamic-map avi 10
  set transform-set aviset
  set isakmp-profile vpnclient
  reverse-route

  Since you're using ACS, I believe the way to do this is to
  go into ACS, and select the username of the user that you want
  to get the static IP. Under that user's setup, there is an option to
  always assign the same IP. Just select that and enter the IP you
  want them to get. - chris

• Vlan based default gateway

  Alteon Web OS allows you to assign different default gateways for each VLAN. You can effectively map multiple customers to specific gateways on a single switch.
  do cisco load balancers support different default gateway for each vlan?

  one way of doing it today would be to define a serverfarm for each gateway, and have a vserver match_all for every vlan.
  For example,
  serverfarm gateway_1
  no nat client
  no nat server
  real
  x.x.x.x
  serverfarm gateway_2
  <...>
  vserver gateway_vlan1
  virtual 0.0.0.0 /0 any
  serverfarm gateway_1
  vlan
  vserver gateway_vlan2
  virtual 0.0.0.0 /0 any
  serverfarm gateway_2
  vlan

• How get the RVS4000's DHCP server to assign another IP address other than its own as the default gateway to its DHCP clients?

  Hi,
  I have a RVS4000 router with DHCP enabled and in router mode. 
  The LAN is 192.168.2.x.  The RVS4000 static IP address is 192.168.2.8
  The router is not the RVS4000 and is at 192.168.2.1
  The RVS4000 dhcp is assigning it's clients a default gateway of 192.168.2.8 instead of what I want 192.168.2.1.
  How can I get the RVS4000's DHCP server to assign another IP address other than its own as the default gateway to its DHCP clients?
  Thanks

  Hi Gail, you cannot do this. The router, as the DHCP server will only assign a default gateway of what IP interface the DHCP server runs on. If you have the default IP, the gateway is 192.168.1.1. If you create a second vlan, by default it would be 192.168.2.1.
  There are not configuration options for the built-in DHCP server. If you'd like to expand this functionality, you would need an external dhcp server.
  -Tom
  Please mark answered for helpful posts

• Default Gateway address for multiple VPN users/clients

  Hello,
  We need some help with a VPN setup for a school project.
  What we want to do:
  We would like to have aprox. 10 different VPN uses that can connect to our Windows Server 2012 R2 which is setup as a VPN server, by the Role called Remote access. And the VPN server is working and we are able to connect to it from another location/computer.
  Our current setup:
  We have a Cisco router, that are configured with 10 Vlans, from Vlan 10 to Vlan 20, and a managament Vlan called Vlan 100.
  The Cisco router is also acting as DHCP server, so inside each Vlan the DHCP gives IP addresses to that specific Vlan, Ex: Vlan 10 has a 192.168.10.0/24 network. Vlan 11 has a 192.168.11.0/24 network, and so on. Vlan 100 has 192.168.100.0/24 This Vlan 100
  has connection to all the Vlans.
  We have internet connection on the Router on port 0 and each Vlan are connected to the internet.
  We have setup the VPN server with a static IP configuration so it is inside Vlan 100 with a Default gateway, like 192.168.100.1 So the VPN server is connected to the internet.
  In AD we have created a User and assigned a static IP address in the user properties, under the Dial-In tab. Here we give this user this IP 192.168.10.225
  Now when we connect to the VPN server useing this user, we have no connection to any of the Vlans (ping) and no internet. When we in cmd write ipconfig we can see that our VPN connection has this IP 192.168.10.225 but a Subnet called 255.255.255.255 and
  a Default gateway called 0.0.0.0
  We would like the user to recieve the correct IP settings like: If we connect with our user, it should recieve the IP as it does, but also a subnet called 255.255.255.0 and a default gateway called 192.168.10.1
  How is this achieved?
  The reason we want this is: We want to create a VPN user for each Vlan. So a user with permission to access Vlan 10 but are not able to see the other Vlans, and then a new user to access Vlan 11 but not able to see the other vlans, and so on.
  Hope someone is able to help us to understand how this is done.
  Thank you in advance.

  Hi,
  In brief, we can't achieve this. Normally, we would not do this.
  Usually, we use firewall or ACL to restrict the remote users.
  For example, 192.168.10.100 is assigned to user1 and 192.168.10.101 is assigned to user2. We can use firewall to restrict 192.168.10.100 to access 192.168.10.0/24 and 192.168.10.101 to access 192.168.11.0/24.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• VPN Client : Default Gateway

  Hi,
  I have ASA 5505 with ASA v 8.0.3 and ASDM v 6.0.3.
  The VPN connection works, the client receive the IP from the define pool but the default gateway is not correct. Is it possible to define the gateway in the pool ?
  thank you

  Dimitri
  I am not clear what default gateway you expected, what default gateway you got, or what was no correct about the gateway. Perhaps you can clarify?
  In my experience many people are surprised that the gateway address is the clients own address and not some other address in the subnet as we normally expect with a LAN client. But this is normal behavior on what is essentially a point to point connection from the client to the concentrator. Is this perhaps what you were thinking was an error?
  HTH
  Rick

• Some clients get Default Gateway assigned from WRT300N while others don't

  Two existing desktops, one wired other wireless and existing laptop wireless connects to internet fine.
  Trying to add work laptops, they aquire wireless signal, gets DHCP IP address assigned but doesn't connect. Looked at the ipconfig output and shows no default gateway - router IP is set to 192.168.1.1 - with everything default, I did a reset on it.
  The existing machines all have default gateway assigned. Only difference I see is work machines are XP pro. Never had problems with work laptops connecting anywhere else.
  Any ideas on how to setup so work laptops can connect?
  Solved!
  Go to Solution.

  namralk wrote:
  Ethernet adapter VMware Network Adapter VMnet8:
          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
          Physical Address. . . . . . . . . : 00-50-56-C0-00-08
          Dhcp Enabled. . . . . . . . . . . : No
           IP Address. . . . . . . . . . . . : 192.168.1.1
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Default Gateway . . . . . . . . . : 
  You have configured vmware on your computer to use 192.168.1.1 on the VMnet8 adapter. This means the computer uses 192.168.1.1 itself on that adapter and obviously won't set 192.168.1.1 as default gateway on your wireless adapter because 192.168.1.1 is the computer itself.
  Fix your network configuration in vmware. After that a "ipconfig /renew *" or a reboot should obtain a new working lease including the default gateway. Make sure vmware does not use the 192.168.1.0/255.255.255.0 subnet for it's network adapters.

• Incorrect Default Gateway for Clients using a Concentrator

  Hey all,
  Hopfully an easy one - I'm trying to configure a VPN Concentrator for use with the old VPN Client for an IPSec CVPN.
  The clients connect fine, but they are getting the incorrect default gateway during the address assignment.
  My address pool is 192.168.0.128/25.  The client correctly picks up the first address in the range, 192.168.0.129, but the default gateway for the VPN adapter is assigned as the next address in the range, 192.168.0.130.
  I need the gateway address to be 192.168.0.254 (the SVI of the L3 switch connected to the Concentrator), but I can't for the life of me fine a configuration option anywhere in the pool assignment.  I've set the tunnel default gateway to this 192.168.0.254, but this makes no difference.
  Any ideas where I can find this config option?
  Thanks!

  Andrew
  In the chart that you posted about the routing setup it refers to a DMZ network and DMZ gateway. Can you clarify what these are since I do not see them in the drawing that is in that post?
  I agree with Herbert that it is cleaner to have the address pool on the concentrator use addresses that do not overlap with the concentrator subnet connecting to the layer 3 switch. And as long as the layer 3 switch has a route to that address pool, and the next hop in the route is the address of the concentrator interface then the separate pool addressing should work just fine.
  I have re-read this thread and want to make sure that after some changes that you have made that the problem symptoms are still the same. You told us earlier that: "Now the client can ping the interfaces on its local LAN (concentrator  interface 192.168.0.253, and the L3 switch, 192.168.0.253), but it  cannot reach the rest of our internal LAN behind the layer 3 switch." Is this still an accurate statement of the problem?
  As Herbert said earlier this could either be caused by the concentrator not have a correct route for the inside or it could be  because the inside does not have a correct route to the client. In re-reading your description of the routing set up it looks like the concentrator has a default route configured but not the tunnel default route. May I suggest that you try configuring a tunnel default route (in addition to the normal default route) and see whether that makes any difference?
  If that does not help the problem then I would suggest that you verify that the devices on the inside do have their default gateway set correctly and that the layer 3 switch does have a route for the VPN address pool with the concentrator interface address as the next hop.
  HTH
  Rick
  [edit] I just focused on the question that you asked about the concentrator possibly needing a route for the address pool. The concentrator does not need any route statements for the address pool - it knows its own address pool, pretty much like having a connected interface subnet. The layer 3 switch is what needs a route for the address pool.