|
Question : Cisco VPN connection to PIX 506: AddRoute failed to add a route: code 87
|
|
Unable to connect to 'inside' interface (192.168.1.2) on PIX 506.
The 'outside' interface is 192.168.100.80
The following is my Cisco VPN client log:
1 17:41:24.828 01/13/07 Sev=Warning/3 GUI/0xA3B0000B
Reloaded the Certificates in all Certificate Stores successfully.
2 17:47:53.656 01/13/07 Sev=Info/4 CM/0x63100002
Begin connection process
3 17:47:53.671 01/13/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
4 17:47:53.671 01/13/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
5 17:47:53.671 01/13/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
6 17:47:54.671 01/13/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
7 17:47:54.687 01/13/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
8 17:47:54.687 01/13/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 17:47:54.687 01/13/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 17:47:54.687 01/13/07 Sev=Info/6 IPSEC/0x6370002C
Sent 306 packets, 0 were fragmented.
11 17:47:55.015 01/13/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
12 17:47:55.015 01/13/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from x.x.x.x
13 17:47:55.015 01/13/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 17:47:55.015 01/13/07 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 17:47:55.015 01/13/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
16 17:47:55.015 01/13/07 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
17 17:47:55.031 01/13/07 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
18 17:47:55.031 01/13/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to x.x.x.x
19 17:47:55.031 01/13/07 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4
20 17:47:55.031 01/13/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
21 17:47:55.031 01/13/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
22 17:47:55.046 01/13/07 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
23 17:47:55.046 01/13/07 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
24 17:47:55.046 01/13/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
25 17:47:55.125 01/13/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
26 17:47:55.125 01/13/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
27 17:47:55.125 01/13/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
28 17:47:55.125 01/13/07 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
29 17:47:55.140 01/13/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
30 17:47:55.156 01/13/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
31 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.100.80
32 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.1.27
33 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 192.168.1.27
34 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxxxxxx.local
35 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
36 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 0.0.0.0
mask = 0.0.0.0
protocol = 0
src port = 0
dest port=0
37 17:47:55.156 01/13/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
38 17:47:55.156 01/13/07 Sev=Info/4 CM/0x63100019
Mode Config data received
39 17:47:55.156 01/13/07 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.100.80, GW IP = x.x.x.x, Remote IP = 0.0.0.0
40 17:47:55.156 01/13/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to x.x.x.x
41 17:47:55.328 01/13/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
42 17:47:55.328 01/13/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
43 17:47:55.328 01/13/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
44 17:47:55.328 01/13/07 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
45 17:47:55.328 01/13/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to x.x.x.x
46 17:47:55.328 01/13/07 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=5EB7077F OUTBOUND SPI = 0x7CD0776D INBOUND SPI = 0x4392774A)
47 17:47:55.328 01/13/07 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x7CD0776D
48 17:47:55.328 01/13/07 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x4392774A
49 17:47:55.390 01/13/07 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.10 192.168.5.11 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.5.0 255.255.255.0 192.168.5.11 192.168.5.11 20
192.168.5.11 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.5.255 255.255.255.255 192.168.5.11 192.168.5.11 20
224.0.0.0 240.0.0.0 192.168.5.11 192.168.5.11 20
255.255.255.255 255.255.255.255 192.168.5.11 0.0.0.0 1
255.255.255.255 255.255.255.255 192.168.5.11 192.168.5.11 1
50 17:47:55.921 01/13/07 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.100.80/255.255.255.0
DNS=192.168.1.27,0.0.0.0
WINS=192.168.1.27,0.0.0.0
Domain=xxxxxxxx.local
Split DNS Names=
51 17:47:55.921 01/13/07 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.10 192.168.5.11 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.255 192.168.100.80 192.168.100.80 1
192.168.5.0 255.255.255.0 192.168.5.11 192.168.5.11 20
192.168.5.11 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.5.255 255.255.255.255 192.168.5.11 192.168.5.11 20
192.168.100.0 255.255.255.0 192.168.100.80 192.168.100.80 20
192.168.100.80 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.255 255.255.255.255 192.168.100.80 192.168.100.80 20
224.0.0.0 240.0.0.0 192.168.5.11 192.168.5.11 20
224.0.0.0 240.0.0.0 192.168.100.80 192.168.100.80 20
255.255.255.255 255.255.255.255 192.168.5.11 192.168.5.11 1
255.255.255.255 255.255.255.255 192.168.5.11 0.0.0.0 1
255.255.255.255 255.255.255.255 192.168.100.80 192.168.100.80 1
52 17:47:55.921 01/13/07 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.5.255
Netmask 255.255.255.255
Gateway 192.168.100.80
Interface 192.168.100.80
53 17:47:55.921 01/13/07 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a805ff, Netmask: ffffffff, Interface: c0a86450, Gateway: c0a86450.
54 17:47:55.937 01/13/07 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
55 17:47:55.937 01/13/07 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.10 192.168.5.11 20
0.0.0.0 0.0.0.0 192.168.100.80 192.168.100.80 1
x.x.x.x 255.255.255.255 192.168.5.10 192.168.5.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.255 192.168.100.80 192.168.100.80 1
192.168.5.0 255.255.255.0 192.168.5.11 192.168.5.11 20
192.168.5.0 255.255.255.0 192.168.100.80 192.168.100.80 20
192.168.5.10 255.255.255.255 192.168.5.11 192.168.5.11 1
192.168.5.11 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.5.255 255.255.255.255 192.168.5.11 192.168.5.11 20
192.168.100.0 255.255.255.0 192.168.100.80 192.168.100.80 20
192.168.100.80 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.255 255.255.255.255 192.168.100.80 192.168.100.80 20
224.0.0.0 240.0.0.0 192.168.5.11 192.168.5.11 20
224.0.0.0 240.0.0.0 192.168.100.80 192.168.100.80 20
255.255.255.255 255.255.255.255 192.168.5.11 192.168.5.11 1
255.255.255.255 255.255.255.255 192.168.5.11 0.0.0.0 1
255.255.255.255 255.255.255.255 192.168.100.80 192.168.100.80 1
56 17:47:55.937 01/13/07 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
57 17:47:56.000 01/13/07 Sev=Info/4 CM/0x6310001A
One secure connection established
58 17:47:56.046 01/13/07 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.5.11. Current hostname: RMMLifebook, Current address(es): 192.168.100.80, 192.168.5.11.
59 17:47:56.062 01/13/07 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.100.80. Current hostname: RMMLifebook, Current address(es): 192.168.100.80, 192.168.5.11.
Any help or suggestions would be greatly appreciated
|
Answer : Cisco VPN connection to PIX 506: AddRoute failed to add a route: code 87
|
|
Going back and looking at the log, it does seem to succesfully connect to the VPN. So for now I would ignore the route add failure.
So, after you get connected, what can't you do?
You may want to go to here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
and search for "VPN Client" there are a couple different sample configs that may help you with the PIX config.
|
|
|
|
|
