Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot

Answered Question
Oct 23rd, 2014

I have encounter a starange situation with Yosemite and Cisco AnyConnect Secure Mobility Client (all recent versions including latest 3.1.05187).

If the mac is using the internet connection of the iPhone (via Bluetooth or WiFi), when I connect with the client everything stops working, from the Internet to the traffic over the tunnel, we are using Split Tunnel with Split DNS for our internal addresses. Somehow the DNS is not working anymore.

I can ping via IP but not by name, also cannot ping any address from internet unless I add again manually the default route.

 

Anybody encounter this problem?   

I have this problem too.
22 votes
Correct Answer by WG Network Team about 1 year 5 months ago

Gentlemen,

Seems that we have a solution. Try to follow this picture to enable client bypass protocol. It works for us

OR

enter "client-bypass-protocol enable" in group-policy attributes section using CLI

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
simon.anthony Thu, 10/23/2014 - 12:30

I can say that I also have exactly these symptoms.

I have 3.1.05187. Just upgraded to Yosemite. Split tunnel/DNS and all was fine was last week on Mountain Lion.

DNS does not work when VPN is connected using USB/Bluetooth Hotspot (i.e. tethered). Regular WiFI is fine.

 

 

 

 

marcusaharold Tue, 10/28/2014 - 06:11

Exactly the same for me. Have tried every older version of Anyconnect I can find, multiple different ASAs, 2 different iPads, 3 different iPhones, reloaded O/S from scratch, and 3 different Macbook Pros. Issue ONLY occurs when using connection to an IOS device for access when MAC is running Yosemite.

 

Has anyone had any luck with this issue or are we resigned to open a TAC case and then wait on a new version of Anyconnect to be released?

razvan1979 Tue, 10/28/2014 - 06:32

From what i have seen,  /etc/resolv.conf disappears entirely, after authenticating on AnyConnect. 

davidshulman Fri, 10/31/2014 - 00:27

I am having the same issue with employees in my company.  Anyone have an idea if this can be fixed with the AnyConnect client, or must Apple fix it?

simon.anthony Mon, 11/03/2014 - 04:06

Just to elaborate...

There is no such issue experienced with the OS X VPN client connecting the the same ASA.

 

gavinharper13 Mon, 11/03/2014 - 05:53

We have the same issue here too. With an iPhone hotspot and Anyconnect connected the etc/resolv.conf cant be found, so basically no network activity. Disconnect Anyconnect and still using the iPhone as a hotspot and internet works. Connect to a different wireless and connect AnyConnect and it works.

Is this a Cisco or Apple issue?

gavinharper13 Thu, 11/20/2014 - 03:36

I don't believe so. We still have the problem, even after the new iPhone and Yosemite updates. We have been trying all sorts. If anyone knows a walk round, that would be helpfull.

 

gavinharper13 Thu, 11/20/2014 - 05:21

The resolve.conf file gets deleted once the VPN is connected, we have tried replacing it, but still won't work. 

It returns, once we quit the VPN or connect to a non iPhone hotspot or avulse wireless network

Benjamin Hofstetter Thu, 11/20/2014 - 05:39

I did this...

connect with anyconnect. the connection is successful but dns is not working. this is because the file /var/run/resolv.conf is missing. 

Start vi and add edit the file manually 

sudo vi /var/run/resolv.conf

 

add your dns information like this 

search foobar.com
nameserver 10.10.10.1
nameserver 10.10.10.2

 

 

save the file. after this my dns/vpn stuff is working.

 

 

Benjamin Hofstetter Thu, 11/20/2014 - 05:42

Maybe you can set a 'static dns server' using the mac os network config UI AFTER connecting with AnyConnect. I never tried it.

gavinharper13 Thu, 11/20/2014 - 07:54

Once you have created the file with your own domain and DNS setting, do you need to do anything? like reload it.

 

The file is being created, but it still won't work. Cheers for you help though. 

Benjamin Hofstetter Thu, 11/20/2014 - 08:00

No, it was working after I edited / created the file. You can test it with 

dig -t mx google.com @1.1.1.1

use your internal dns server instead of 1.1.1.1.

 

razvan1979 Tue, 11/25/2014 - 04:25

We have disabled IPv6  on the WiFi "sudo networksetup -setv6off Wi-Fi", and after connecting to AnyConnect traffic stops. So this not a viable solution.

l.charbonnier Tue, 03/24/2015 - 08:04

When disabling IPv6 with "networksetup -setv6off Wi-Fi" with IOS 8.2 and OSX 10.10.2, DNS seems to work globally (using iPhone DNS resolution) but not with Anyconnect-provided internal DNS server. However, name resolution is still broken for all (internal/external) names.

Kieninger1 Wed, 11/26/2014 - 23:05

I have the same problem with AnyConnect 4 and OSx 10.10.1.

Is there a solution already?

karenkosoy Tue, 12/30/2014 - 10:21

Just wondering if anyone has heard of an update about this issue.  I am still experiencing it.

 

Thanks, and Happy New Year!

Have this problem as well and depending on workstation network configuration it either fails to connect (due to ipv6 forwarding table re-writes failing according to the debug log) or connects with the issues mentioned in this thread, no DNS, empty resolv.conf. 

Would love to see a resolution to this, but suspect it'll come from the Apple side given that everything was "fine" in Mavericks.

 

tim.economides Mon, 01/12/2015 - 12:32

All - I have a solution for this problem. 

In your AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no".  

For reasons I've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel. 

If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

Good luck!

-Tim

davidshulman Tue, 01/13/2015 - 00:07

Sorry, but this does not solve the issue for us.  This is the exact configuration we already have and we have had it from the beginning of this problem appearing.  This is clearly an incompatibility with Anyconnect and Yosemite.  The ONLY success I have had is with a pocket router in between my iPhone Hotspot and my laptop running Yosemite.  It is an ugly hack, but at least I am portable(ish) again.

tim.economides Tue, 01/13/2015 - 00:11

Hi David -

i used this solution for 6 different customers of mine today and it universally solved it. Check your splittunnel settings   across the board as well as DNS and domain name related bits in your group profile. Feel free to post your webvpn config too. 

tim.economides Tue, 01/13/2015 - 09:13

Which AnyConnect and OS X versions? I'm on 3.1.06073 and 10.10.1 respectively. 

razvan1979 Tue, 01/13/2015 - 23:44

Hello Tim,

I have the same version mate, exactly the same, maybe something is missing in my config! 

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2
ping: sendto: No route to host
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

cat /etc/resolv.conf
cat: /etc/resolv.conf: No such file or directory
 

group-policy GP-XXX internal
group-policy GP-XXX attributes
 dns-server value 172.xx.xx.xx 10.xx.xx.xx
 vpn-simultaneous-logins 2
 vpn-idle-timeout 60
 vpn-filter value ACL-XXX
 vpn-tunnel-protocol ikev2 ssl-client
 group-lock value TN-XXX
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITUNNEL
 split-dns value  hs2 dc2 office qxlint
 address-pools value VPNPOOL-XXX

 

 

 

 

 

 

gishroff Tue, 01/13/2015 - 00:53

hi tim can you please guide me to find AnyConnect Group Policy for me to try the solution

simon.anthony Tue, 03/17/2015 - 05:08

As above OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection. Adding the local domain name/DNS lookup setting (which is unchanged in this instance) as per tim.economides suggestion appears to resolve the issue (after initial testing)!

scott00011111111 Wed, 03/11/2015 - 09:33

Same issue here.   As an end user, I apparently don't have access to the Group Policy to edit it.

georgeocrawford Thu, 03/12/2015 - 06:42

I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

simon.anthony Mon, 03/16/2015 - 08:07

OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection - when VPN active - Internet/DNS/Local Network unavailable - the problem is still as per razvan1979's original observation.

Correct Answer
WG Network Team Fri, 04/03/2015 - 04:19

Gentlemen,

Seems that we have a solution. Try to follow this picture to enable client bypass protocol. It works for us

OR

enter "client-bypass-protocol enable" in group-policy attributes section using CLI

gavinharper13 Tue, 03/31/2015 - 03:54

This would require an expensive update for us. What version ASDM are you running?

WG Network Team Tue, 03/31/2015 - 05:54

Which update are you talking about ?

Just try to enter "client-bypass-protocol enable" in group-policy attributes section using CLI

gavinharper13 Thu, 04/02/2015 - 02:16

It seems our version of ASDM doesn't have that option, it has the rest but not "Client Bypass Protocol"

 

I wonder if its a config setting somewhere else to enable it.

WG Network Team Thu, 04/02/2015 - 04:22

In my previous comment I described how to do this in CLI. You don't even need ASDM to configure ASA

simon.anthony Thu, 04/02/2015 - 06:12

I have "Client Bypass Protocol" disabled. Connections from tethered networks are now fine on the latest ASA, AnyConnect 3.1 and OS X software after effecting tim.economides suggestion.

Ian Brennan Fri, 04/17/2015 - 10:15

Is there an equivalent to this command for webvpn configured on an ISR router?  I can't seem to find it if so. 

Actions

This Discussion

Related Content