Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

One of Cisco VPN clients can't access one server

Cisco Router, Firewall, VPN, SDM, ASA and Switch

One of Cisco VPN clients can't access one server

Postby blin » Thu Feb 16, 2017 1:11 pm

Situation: Our VPN users use Cisco AnyConnect VPN to access network resources. The VPN server is Cisco ASA firewall. After establishing the VPN, one of the users can access everything except one of SQL server from his laptop. Ping the IP doesn't reply. The same VPN rules apply to all VPN users.

Troubleshooting:
- If I try my login my ID on his laptop, I have the same problem. If we try his ID on other computers, it works.
- I have tried to disable anti virus, firewall, but can't fix it.
- If same user login via AnyConnect from different computer he could reach to the server.
- Tracert to the server gets timeout.
- We verified all configs. The configs were fine so we applied captures and found ASA was not receiving any traffic.
- We performed various troubleshooting steps to resolve this issue on the machine. We installed Ccleaner, Deleted all temp, prefetch and cookies.
- We fixed more than 1500 registry issues and disabled multiple third party startups.
- Rebooted machine but still he could not reach to the server.
- We ran virus scan found more than 130 viruses. But could not remove them as it was a trial software.
- But even after removing viruses it was still not connecting to the server.
- We found a different default gateway was being pushed in routes as compared to the working machine subnets.
- We collected DART logs from the machine and found that the routing table was getting updated by an unknown reason due to which default gateway was changing to 10.0.0.1 instead of 192.168.1.254.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3618
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: One of Cisco VPN clients can't access one server

Postby blin » Thu Feb 16, 2017 2:51 pm

We also find the home network uses 10.0.0.0/24 and company network uses 10.0.0.0/16. Both networks are using 10.0.0.1 as default gateway. After establishing the VPN, all 10.0.0.0 traffic goes to the company LAN. That give us a tip. We collected DART logs from the machine and found that the routing table was getting updated by an unknown reason due to which default gateway was changing to 10.0.0.1 instead of 192.168.1.254.

From the DART logs, we find the PFB the most common errors and routing change notification.

******************************************

Date : 02/07/2017
Time : 15:21:10
Type : Warning
Source : acvpnagent

Description : Function: CRouteMgr::OnRouteTableChange
File: .\Routing\RouteMgr.cpp
Line: 517
Invoked Function: IRouteHandler::VerifyRouteTable
Return Code: -24117220 (0xFE90001C)
Description: ROUTETABLE_ERROR_UNACCOUNTED_ROUTE_CHANGE_ENTRY


******************************************

Date : 02/07/2017
Time : 15:21:09
Type : Information
Source : acvpnagent

Description : A routing table change notification has been received. Starting automatic correction of the routing table.


******************************************

Date : 02/07/2017
Time : 15:21:10
Type : Warning
Source : acvpnagent

Description : Automatic correction of the routing table has failed. Notifying higher levels of the routing change notification for possible further corrective action.


******************************************

Date : 02/07/2017
Time : 15:21:10
Type : Error
Source : acvpnagent

Description : Function: CVpnMgr::main
File: .\VpnMgr.cpp
Line: 1365
Invoked Function: determinePublicInterface
Return Code: -33161202 (0xFE06000E)
Description: ROUTEMGR_ERROR_PREPARE_CHANGES_FAILED


******************************************

Date : 02/07/2017
Time : 15:21:10
Type : Information
Source : acvpnagent

Description : Routing table - fix (add route) failed, route already exists
Destination Netmask Gateway IfAddr IfName IfIndex LL Metric
10.0.0.0 255.255.0.0 192.168.108.1 192.168.108.13 Local Area Connection 2 23 N 1



******************************************

Date : 02/07/2017
Time : 15:21:10
Type : Information
Source : acvpnagent

Description : Routing table - Original
Destination Netmask Gateway IfAddr IfName IfIndex LL Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.16 Local Area Connection 11 N 0
10.0.0.0 255.255.255.0 0.0.0.0 10.0.0.16 Local Area Connection 11 Y 256
10.0.0.16 255.255.255.255 0.0.0.0 10.0.0.16 Local Area Connection 11 Y 256
10.0.0.111 255.255.255.255 192.168.108.1 192.168.108.13 Local Area Connection 2 23 N 256
10.0.0.255 255.255.255.255 0.0.0.0 10.0.0.16 Local Area Connection 11 Y 256
10.0.0.255 255.255.255.255 192.168.108.1 192.168.108.13 Local Area Connection 2 23 N 256
127.0.0.0 255.0.0.0 0.0.0.0 127.0.0.1 Loopback Pseudo-Interface 1 1 Y 256
127.0.0.1 255.255.255.255 0.0.0.0 127.0.0.1 Loopback Pseudo-Interface 1 1 Y 256
127.255.255.255 255.255.255.255 0.0.0.0 127.0.0.1 Loopback Pseudo-Interface 1 1 Y 256
192.168.108.0 255.255.255.0 0.0.0.0 192.168.108.13 Local Area Connection 2 23 Y 256
192.168.108.13 255.255.255.255 0.0.0.0 192.168.108.13 Local Area Connection 2 23 Y 256
192.168.108.255 255.255.255.255 0.0.0.0 192.168.108.13 Local Area Connection 2 23 Y 256
224.0.0.0 240.0.0.0 0.0.0.0 127.0.0.1

==================

Resolution:
On the bases of the above logs. You may try the following.

A:) Enable client-bypass-protocol from group policy to eliminate the mobile hotspot issue with AnyConnect adapter with the following command.

group-policy vpn attributes
client-bypass-protocol enable

B:) You may upgrade the client only on his machine from 3.1.02026 to 3.1.14018 only on his machine and see if it works for you.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3618
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA


Return to Cisco

Your Ad Here

Who is online

Users browsing this forum: No registered users and 2 guests