Solved: Anyconnect triggers Hosts File Access warning on Avira

easily_confused · ‎06-02-2013

The company I work for uses Anyconnect to provide VPN services.

I'm wondering why Anyconnect 3.0.10055 triggers a Hosts File Access warning on Avira Anti-Virus on my Windows 7 64Bit PC? I tried turning the Avira protection off and then connecting and detected no changes to the file. Anyconnect connects fine even when Avira blocks access. Is Anyconnect opening it for write, but not writing?

On a separate note, why does Anyconnect use 6 ip addresses? What document should I read?

Thanks,

Bruce

Herbert Baerten · ‎06-06-2013

Hi Bruce

as far as I understood, AC indeed modified the hosts file but just for a very short time during connection establishment.

To be more precise, after doing a DNS lookup of the head-end (ASA or router) it will rename the hosts file and create a new one that contains the result of the DNS lookup. This is to make sure that subsequent name lookups return the same ip address. When the connection is established, the original hosts file is restored.

Now, this is only important in scenarios where DNS load balancing is used, so where the DNS name you connect to potentially resolves to 2 or more different ip addresses. This could cause a problem if at different stages of the connection process we use different ip addresses, hence we store the first ip address in the hosts file.

So if you don't use VPN load balancing then you should not see any problem if the hosts file cannot be modified.

What 6 addresses are you referring to?

hth

Herbert

View solution in original post

Herbert Baerten · ‎06-08-2013

bruce bruce wrote:

The six addresses are 6 secured-routes in the route details tab. Does it have to do with how our SA arranged things at his end?

I see. Yes the secured-routes are defined by the head-end admin, all traffic destined to these addresses is encrypted and sent over the tunnel; all other traffic is not encrypted and just sent out the local interface.

This is called split-tunnel (as opposed to "tunnel-all" where all traffic is sent accross the tunnel).

Herbert

View solution in original post

Herbert Baerten · ‎06-06-2013

Hi Bruce

as far as I understood, AC indeed modified the hosts file but just for a very short time during connection establishment.

To be more precise, after doing a DNS lookup of the head-end (ASA or router) it will rename the hosts file and create a new one that contains the result of the DNS lookup. This is to make sure that subsequent name lookups return the same ip address. When the connection is established, the original hosts file is restored.

Now, this is only important in scenarios where DNS load balancing is used, so where the DNS name you connect to potentially resolves to 2 or more different ip addresses. This could cause a problem if at different stages of the connection process we use different ip addresses, hence we store the first ip address in the hosts file.

So if you don't use VPN load balancing then you should not see any problem if the hosts file cannot be modified.

What 6 addresses are you referring to?

hth

Herbert

easily_confused · ‎06-08-2013

Thanks for the explanation. Messing with the hosts file seems like a hack, but I expect you have your reasons. I'm glad I don't have a real issue with it affecting AnyConnect operation because I want to leave it protected.

The six addresses are 6 secured-routes in the route details tab. Does it have to do with how our SA arranged things at his end?

Herbert Baerten · ‎06-08-2013

bruce bruce wrote:

The six addresses are 6 secured-routes in the route details tab. Does it have to do with how our SA arranged things at his end?

I see. Yes the secured-routes are defined by the head-end admin, all traffic destined to these addresses is encrypted and sent over the tunnel; all other traffic is not encrypted and just sent out the local interface.

This is called split-tunnel (as opposed to "tunnel-all" where all traffic is sent accross the tunnel).

Herbert