AnyConnect Error: Unable To Verify IP Forwarding Table Modifications

KB ID 0001646

Problem

While attempting to connect to a clients AnyConnect, this happened;

VPN unable to modify IP Forwarding

The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.

Or on older clients, you may see;

The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again.

Solution

I was trying to connect from my house, I’d used this connection before from work and it was fine. I worked my way round the problem got my work finished, then re-looked at it the next time I was working from home.

The problem is actually quite simple, take a look at the IP I was using in my house.

Overlapping IP VPN AnyConenct

Then take a look at the VPN Pool addresses that get allocated to the remote VPN clients (they overlap);

show run | incl pool

Overlapping IP VPN AnyConnect Error

Note: This assumes you are using an ‘IP Pool’, If you are using an external DHCP server at the ‘Head end’ then you will need to check/change the scope there.

AnyConnect – Using a Windows DHCP Server to Lease IP Addresses to the Remote Clients

I fixed the problem by simply changing the ‘pool’ so it didn’t overlap.

Change AnyConnect Subnet

WARNING: If you have any routing going on behind your firewall (i.e you have layer 3 switches internally, routing between networks or VLANS) you may need to change them to route the ‘new’ AnyConnect subnet back to the firewall.

Update: Solution Windows 10

If you are experiencing this problem on Windows 10, and the above solution is not applicable, consider deleting the following two files;

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\routechangesv4.bin
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\routechangesv6.bin

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

14 Comments

  1. Hi PeteLong,

    I’m facing the same problem but I’m pretty sure that the network that laptop connected to does not overlap with the VPN subnet and I tried 2 laptop, 1 failed, 1 succeeded while both connect with the same AP and have the same IP range.

    Do you have any idea?

    Post a Reply
    • Check all the NICs (wireless and wired), and make sure it doesn’t have VMware workstation or something similar with a virtual NIC also.

      P

      Post a Reply
    • Please help!! I have been working from home fine. Suddenly I get the error message as above. I am not great with tech so cannot work through your solution……😔

      Post a Reply
  2. I get the following error when I try to run the command “show run | incl pool”

    Errot I get = -sh: show: command not found
    -sh: incl: command not found

    Please advise

    Post a Reply
    • Are you in enable mode? does the prompt and in a hash #

      Post a Reply
      • Please show me enter enable mode

        Post a Reply
        • Type the command ‘enable’

          Post a Reply
      • NeuwaMacBookPro:/ neuwa$ show run | incl pool
        -sh: show: command not found
        -sh: incl: command not found
        NeuwaMacBookPro:/ neuwa$ en..
        -sh: en..: command not found
        NeuwaMacBookPro:/ neuwa$ en
        -sh: en: command not found
        NeuwaMacBookPro:/ neuwa$

        This is me trying to run those commands. But I am not able to enter enable made

        Post a Reply
        • You run those commands on the firewall not your MacBook?

          Post a Reply
          • I ran the commands on my macbook

          • yeah I saw that, you run them on the firewall.

          • This happened to me when I had both Wi-Fi and Ethernet on at the same time for some reason. When I turned off Wi-Fi, I still had the Wi-Fi assigned IP address. What worked for me is just renewing the DHCP lease (from Network settings, click advanced, then ‘renew DHCP lease’).

  3. I would have this problem from time to time with clients. They would hookup to their home network and get a private IP and get this error when connecting. I would tell them to reboot and whatever conflict was resolved.

    Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *