Anyconnect IPV6 routing even with it disabled

chesterweirdo
Comes here often

Anyconnect IPV6 routing even with it disabled

Hi, We have an issue with Linux users where the AnyConnect VPN client is routing IPv6 traffic using the client even with the option disabled.

 

We have set in our xml file

<IPProtocolSupport>IPv4</IPProtocolSupport>

 

But we still get DNS routing via IPV6 so it fails. 

 

I did find an article relating to an ASA which suggested setting client-bypass-protocol but I'm not sure if I can just add that to the XML.

 

They have been able to connect using the openvpn client on Linux

 

Mac and Windows is working fine.

 

Can anyone help?

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

To send an IPv6 DNS query over AnyConnect wouldn't the client have to have an IPv6 DNS server configured, and for that IPv6 subnet to be advertised over AnyConnect (assuming you are running split-tunnel - if you are running full tunnel then I guess you should expect "all" traffic to be routed over AnyConnect).

chesterweirdo
Comes here often

Yep we are running split tunnel. We don’t want to send the ipv6 dns over the client. It should really remain local which is why we have tried to turn off ipv6 on the client but it does not seam to work. 

chesterweirdo
Comes here often

Just bumping to see if anyone had a solution. We want to enable mfa but with the client not working that’s not going to be possible. 

chesterweirdo
Comes here often

So I have spent the day looking at this a bit more and trying to understand it. I setup a new Ubuntu machine and installed the AnyConnect client

 

It connects fine and I can browse the internet.

However, running route -6 returns the route table and shows that IPV6 is being routed down cscotun0 when it should not be adding a route.

Having checked on my OSX device connecting to the vpn the IPV route table does not add a record to route it down the tunnel.

 

 

chesterweirdo
Comes here often

So over an hour on the phone with Meraki and no help at all.

Has anyone else used Any connect on a linux machine? Basically, as soon as you connect it add a load of routes to your route table sending IPV6 to the Any connect interface.

That should not be happening as it should have no impact on IPV6. It looks like the traffic does not get to the MX so Meraki are easing their hands with it saying they can prove it does not get to the device.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels