Strange AnyConnect IPv6 interferring with IPv4 scenario
I ran across this scenario last week and I am not sure if I am missing something simple or if this is a real issue.
Problem: It appears IP6 may interfere with IP4 VPN connections.
My network is a large state-wide network which touches many other state agencies (usually by having firewall's in between us and having them VPN into the outside of our firewall). Last week I configured a new VPN connection for one of these agencies and had them connect. The VPN configuration is a split-tunnel scenario where they use the VPN tunnel for a specific application and all other traffic stays local.
During testing I noticed the user could reach some of their local resources but not all of them. After some basic troubleshooting we determined that anytime the user tried to reach a local resource that had IP6 capability (please note, IP6 was not actually configured, just baked into the OS) they were not able to access said resource. They could however reach IP4 resources with no problems. IP6 was "unchecked" in the NIC on both client and server resources. Another IT resource has told me that IP6 is unable to be shut off in 2008 and newer because microsoft has tied many OS services and features into it.
Simple ping tests proved that when the user was trying to reach resources with IP6 "built in" all traffic was trying to use IP6 by default (unless we used the -4 switch to force IP4). The command prompt window would show a "general failure" when trying to ping any of these IP6 resources.
I was able to replicate this problem in another environment where a VPN user connects, tries to ping several Domain controllers and the ones that are 2008 and newer try to respond over IP6 while older boxes respond over IP4. Needless to say I am getting nervous because this could break a ton of services if/when the older Domain controllers are upgraded.
Does anyone have any experience with this? I am concerned that IP6 is the "default" protocol even when it is not configured and this is causing users connected with Any Connect to be unable to access those resources even though they are running IP4 as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :