I was reminded of this little gem this past weekend while I was doing some consulting work. I was replacing a legacy Cisco router and splitting out the Internet and WAN routing to separate pieces of hardware so there were more than a few routing changes needed. After about 90 minutes of work and configuration changes I asked the client to run through their test plan.
I learned a long long time ago that you need to test the test plan. All too often I’ve found items listed in the test plan never worked even before the change, and many hours were wasted trying to fix something that never worked in the beginning and had nothing to-do with the change that was in progress.
I had mentioned this fact to this specific client but I guess my warning fell on deaf ears. The client was unable to reach site Z via their VPN. I checked all the routing and ACLs and everything looked good. I asked the client if this had worked before today and the client was adamant that it had worked before this change. It was time for truth or dare. I launched a Windows 7 VM and fired up Cisco AnyConnect so I could observe the problem first hand. I quickly noticed that my Windows VM didn’t have a route for the remote network in question, the IP network for site Z wasn’t in the split tunnel list. I hadn’t changed anything regarding the VPN AnyConnect configuration so in short it had never worked. I added the IP network to the split tunnel list and asked the client to disconnect and reconnect and bingo it was now working.
Please do yourself a favor and make life easier on yourself. Why don’t you run through that test plan before do anything and make sure that everything works as expected before you make any changes. It will save you time and money. I’m happy to take on the challenge of unraveling the mystery but my time isn’t cheap.
Image Credit: Flaviu Lupoian