Meraki

Community

Anyconnect IPV6 routing even with it disabled

chesterweirdo
Here to help
‎Jun 28 2022 1:16 AM
‎Jun 28 2022 1:16 AM

Anyconnect IPV6 routing even with it disabled

Hi, We have an issue with Linux users where the AnyConnect VPN client is routing IPv6 traffic using the client even with the option disabled.

 

We have set in our xml file

<IPProtocolSupport>IPv4</IPProtocolSupport>

 

But we still get DNS routing via IPV6 so it fails. 

 

I did find an article relating to an ASA which suggested setting client-bypass-protocol but I'm not sure if I can just add that to the XML.

 

They have been able to connect using the openvpn client on Linux

 

Mac and Windows is working fine.

 

Can anyone help?

Labels:
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 28 2022 12:06 PM
‎Jun 28 2022 12:06 PM

I don't know the answer.

 

To send an IPv6 DNS query over AnyConnect wouldn't the client have to have an IPv6 DNS server configured, and for that IPv6 subnet to be advertised over AnyConnect (assuming you are running split-tunnel - if you are running full tunnel then I guess you should expect "all" traffic to be routed over AnyConnect).

0 Kudos
chesterweirdo
Here to help
‎Jun 28 2022 4:09 PM
‎Jun 28 2022 4:09 PM

Yep we are running split tunnel. We don’t want to send the ipv6 dns over the client. It should really remain local which is why we have tried to turn off ipv6 on the client but it does not seam to work. 

0 Kudos
chesterweirdo
Here to help
‎Jul 20 2022 2:12 PM
‎Jul 20 2022 2:12 PM

Just bumping to see if anyone had a solution. We want to enable mfa but with the client not working that’s not going to be possible. 

0 Kudos
chesterweirdo
Here to help
‎Jul 21 2022 1:42 PM
‎Jul 21 2022 1:42 PM

So I have spent the day looking at this a bit more and trying to understand it. I setup a new Ubuntu machine and installed the AnyConnect client

 

It connects fine and I can browse the internet.

However, running route -6 returns the route table and shows that IPV6 is being routed down cscotun0 when it should not be adding a route.

Having checked on my OSX device connecting to the vpn the IPV route table does not add a record to route it down the tunnel.

 

 

0 Kudos
chesterweirdo
Here to help
‎Jul 22 2022 2:49 AM
‎Jul 22 2022 2:49 AM

So over an hour on the phone with Meraki and no help at all.

Has anyone else used Any connect on a linux machine? Basically, as soon as you connect it add a load of routes to your route table sending IPV6 to the Any connect interface.

That should not be happening as it should have no impact on IPV6. It looks like the traffic does not get to the MX so Meraki are easing their hands with it saying they can prove it does not get to the device.

0 Kudos
In response to chesterweirdo
Frank-NL
Building a reputation
‎Aug 21 2024 5:55 AM
‎Aug 21 2024 5:55 AM

Same issue here, so still going

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.