KB ID 0001646
While attempting to connect to a clients AnyConnect, this happened;
The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.
Or on older clients, you may see;
The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again.
I was trying to connect from my house, I’d used this connection before from work and it was fine. I worked my way round the problem got my work finished, then re-looked at it the next time I was working from home.
The problem is actually quite simple, take a look at the IP I was using in my house.
Then take a look at the VPN Pool addresses that get allocated to the remote VPN clients (they overlap);
show run | incl pool
Note: This assumes you are using an ‘IP Pool’, If you are using an external DHCP server at the ‘Head end’ then you will need to check/change the scope there.
I fixed the problem by simply changing the ‘pool’ so it didn’t overlap.
WARNING: If you have any routing going on behind your firewall (i.e you have layer 3 switches internally, routing between networks or VLANS) you may need to change them to route the ‘new’ AnyConnect subnet back to the firewall.
Update: Solution Windows 10
If you are experiencing this problem on Windows 10, and the above solution is not applicable, consider deleting the following two files;
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\routechangesv4.bin
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\routechangesv6.bin
Related Articles, References, Credits, or External Links