CISCO Anyconnect Secure Mobile Client causes Bash to loose connection

[napsternxg]

This bug-tracker is monitored by developers and other technical types. We like detail! So please use this form and tell us, concisely but precisely, what's up. Please fill out ALL THE FIELDS!

If you have a feature request, please post to the UserVoice.

Important: When reporting BSODs or security issues, DO NOT attach memory dumps, logs, or traces to Github issues. Instead, send dumps/traces to secure@microsoft.com, referencing the GitHub bug number. Ideally, please configure your machine to capture minidumps, repro the issue, and send the minidump from "C:\Windows\minidump".

• Your Windows build number: (Type ver at a Windows Command Prompt)
  Microsoft Windows [Version 10.0.15063]
• What you're doing and what's happening: (Copy&paste specific commands and their output, or include screen shots)
  When I use CISCO Anyconnect Secure Mobile Client to connect to my college VPN, I loose connectivity to the internet from Bash.

e.g.

$ ping google.com 
ping: unknown host google.com                   

When I disconnect from the VPN, I get back the internet instantaneously.

Post disconnect:

$ ping google.com
PING google.com (172.217.6.110) 56(84) bytes of data.
64 bytes from ord37s03-in-f14.1e100.net (172.217.6.110): icmp_seq=1 ttl=53 time=16.7 ms
64 bytes from ord37s03-in-f14.1e100.net (172.217.6.110): icmp_seq=2 ttl=53 time=36.8 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.712/26.767/36.822/10.055 ms

This is what my /etc/resove.conf looks like before VPN connection

$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver 192.168.1.1
nameserver 130.126.2.131
nameserver fec0:0:0:ffff::1
search gw.illinois.edu

And this is after disconnect:

$ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, remove this line.
nameserver 192.168.1.1
nameserver fec0:0:0:ffff::1
nameserver fec0:0:0:ffff::2

• What's wrong / what should be happening instead:
  Mean while I can access all the websites from my Windows with and without the VPN. So, it appears that something is making the VPN connection on Bash to work incorrectly.

• Strace of the failing command, if applicable: (If <cmd> is failing, then run strace -o strace.txt -ff <cmd>, and post the strace.txt output here)

Strace output

$ sudo strace -o strace.txt -ff ping google.com
ping: unknown host google.com

$ cat strace.txt.1399
execve("/bin/ping", ["ping", "google.com"], [/* 13 vars */]) = 0
brk(NULL)                               = 0x2002000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffde7200000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20867, ...}) = 0
mmap(NULL, 20867, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffde7203000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\30\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=23128, ...}) = 0
mmap(NULL, 2118192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffde6bf0000
mprotect(0x7ffde6bf4000, 2097152, PROT_NONE) = 0
mmap(0x7ffde6df4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7ffde6df4000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffde6820000
mprotect(0x7ffde69df000, 2097152, PROT_NONE) = 0
mmap(0x7ffde6bdf000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7ffde6bdf000
mmap(0x7ffde6be5000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffde6be5000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffde71f0000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffde71e0000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffde71d0000
arch_prctl(ARCH_SET_FS, 0x7ffde71e0700) = 0
mprotect(0x7ffde6bdf000, 16384, PROT_READ) = 0
mprotect(0x7ffde6df4000, 4096, PROT_READ) = 0
mprotect(0x609000, 4096, PROT_READ)     = 0
mprotect(0x7ffde7025000, 4096, PROT_READ) = 0
munmap(0x7ffde7203000, 20867)           = 0
brk(NULL)                               = 0x2002000
brk(0x2023000)                          = 0x2023000
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP|CAP_MAC_OVERRIDE|CAP_MAC_ADMIN|CAP_SYSLOG|CAP_WAKE_ALARM|CAP_BLOCK_SUSPEND, CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP|CAP_MAC_OVERRIDE|CAP_MAC_ADMIN|CAP_SYSLOG|CAP_WAKE_ALARM|CAP_BLOCK_SUSPEND, 0}) = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
prctl(PR_SET_KEEPCAPS, 1)               = 0
getuid()                                = 0
setuid(0)                               = 0
prctl(PR_SET_KEEPCAPS, 0)               = 0
getuid()                                = 0
geteuid()                               = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_RAW, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = -1 EFAULT (Bad address)
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_RAW, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
getpid()                                = 1399
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=208, ...}) = 0
read(4, "# This file was automatically ge"..., 512) = 208
read(4, "", 512)                        = 0
close(4)                                = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=208, ...}) = 0
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=208, ...}) = 0
read(4, "# This file was automatically ge"..., 512) = 208
read(4, "", 512)                        = 0
close(4)                                = 0
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(4)                                = 0
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(4)                                = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=497, ...}) = 0
read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 512) = 497
read(4, "", 512)                        = 0
close(4)                                = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=20867, ...}) = 0
mmap(NULL, 20867, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7ffde7203000
close(4)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260!\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0644, st_size=47600, ...}) = 0
mmap(NULL, 2168600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7ffde6600000
mprotect(0x7ffde660b000, 2093056, PROT_NONE) = 0
mmap(0x7ffde680a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0x7ffde680a000
mmap(0x7ffde680c000, 22296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffde680c000
close(4)                                = 0
mprotect(0x7ffde680a000, 4096, PROT_READ) = 0
munmap(0x7ffde7203000, 20867)           = 0
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=92, ...}) = 0
read(4, "# The \"order\" line is only used "..., 512) = 92
read(4, "", 512)                        = 0
close(4)                                = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=355, ...}) = 0
read(4, "# This file was automatically ge"..., 512) = 355
read(4, "", 512)                        = 0
close(4)                                = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=20867, ...}) = 0
mmap(NULL, 20867, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7ffde7203000
close(4)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\17\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0644, st_size=27000, ...}) = 0
mmap(NULL, 2121944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7ffde63f0000
mprotect(0x7ffde63f5000, 2097152, PROT_NONE) = 0
mmap(0x7ffde65f5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x5000) = 0x7ffde65f5000
close(4)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P9\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0644, st_size=101200, ...}) = 0
mmap(NULL, 2206280, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7ffde61d0000
mprotect(0x7ffde61e7000, 2097152, PROT_NONE) = 0
mmap(0x7ffde63e7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x17000) = 0x7ffde63e7000
mmap(0x7ffde63e9000, 6728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffde63e9000
close(4)                                = 0
mprotect(0x7ffde63e7000, 4096, PROT_READ) = 0
mprotect(0x7ffde65f5000, 4096, PROT_READ) = 0
munmap(0x7ffde7203000, 20867)           = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=208, ...}) = 0
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 16) = 0
gettimeofday({1506717289, 640568}, NULL) = 0
poll([{fd=4, events=POLLOUT}], 1, 0)    = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\311\371\1\0\0\1\0\0\0\0\0\0\6google\3com\0\0\1\0\1", 28, MSG_NOSIGNAL, NULL, 0) = 28
poll([{fd=4, events=POLLIN}], 1, 5000)  = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [28])                = 0
recvfrom(4, "\311\371\201\3\0\1\0\0\0\0\0\0\6google\3com\0\0\1\0\1", 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 28
close(4)                                = 0
socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 16) = 0
gettimeofday({1506717289, 649256}, NULL) = 0
poll([{fd=4, events=POLLOUT}], 1, 0)    = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\362\357\1\0\0\1\0\0\0\0\0\0\6google\3com\2gw\10illin"..., 44, MSG_NOSIGNAL, NULL, 0) = 44
poll([{fd=4, events=POLLIN}], 1, 5000)  = 1 ([{fd=4, revents=POLLIN}])
ioctl(4, FIONREAD, [44])                = 0
recvfrom(4, "\362\357\201\3\0\1\0\0\0\0\0\0\6google\3com\2gw\10illin"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 44
close(4)                                = 0
write(2, "ping: unknown host google.com\n", 30) = 30
exit_group(2)                           = ?
+++ exited with 2 +++

See our contributing instructions for assistance.

[kategray]

It might be helpful to show the routing on both the windows and linux side of things.

AnyConnect changes the routing to force things through the AnyConnect adapter. If you are set up for split tunnel (as implied by the screenshot), it's likely going to tell windows to send packets for the school IP to AnyConnect, while everything else remains normal.

If Linux is routing packets to the wrong destination, they won't get where they are supposed to go.

You can get the routing table on Linux by typing route. On Windows, the command is route PRINT.

I'd suggest comparing the routing in Windows before and after AnyConnect, as well as the routing in Linux. See what changes, and if Linux is set up with the same default route as Windows.

[sc-moonlight]

So far there doesn't seem to be a "fix", but it is a workaround from Microsoft that just saved me.
see "Bash loses network connectivity once connected to a VPN":
https://docs.microsoft.com/en-us/windows/wsl/troubleshooting#bash-loses-network-connectivity-once-connected-to-a-vpn

[eclay11]

I'm experiencing the same issue. I've tried the task mentioned on the microsoft docs page related to connecting to vpn causing this issue. /etc/resolv.conf tried with same IPs showing for the vpn interface in ipconfig /all. Also tried using public google name servers neither work. Can't ping my windows systems interface setup for Hyper-v either nor tracepath/traceroute from linux beyond the internal private hyper-v configured network. All starts working the second you disable the vpn connection. Something in the vpn client isn't either letting local networking work or is messing up routing or something. Very frustrating.

tracepath from within Ubuntu 18.04 with the vpn connected.
eclay@wh-lpt-eclay:~$ tracepath 8.8.8.8
1?: [LOCALHOST] pmtu 1500
1:

If I disconnect it will start tracing the network/hops to 8.8.8.8.

[dalgibbard]

This matches #4277 - it seems that changing the route priorities (#4277 (comment)) or using the microsoft store version of anyconnect (#4277 (comment)) are possible workarounds.

[abhijeetchopra]

Replacing the SSL VPN client from Cisco AnyConnect to OpenConnect worked for a colleague.

[abaga129]

Using the OpenConnect client also worked for me. Open source software saves the day yet again. Thanks for the tip @abhijeetchopra

[mf-digital]

This also happens with Cisco AnyConnect 4.9.0304. IMHO there are two issues:

• nameservers are not being set correctly thus leading to a "temporary name resolution error"
• device metrics of Cisco adapters are not being set correctly, which can be (at least in my case) be fixed with running this PowerShell command after each reboot:
  Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

[dalgibbard]

I've been using the metric change + dnsmasq fixes above with success, but I'm finding it doesn't work on cold boot, only after a reboot? Is this just me?

[arnisjuraga]

Only workaround I have found is using small wsl-vpnkit network relay. Installation instructions are simple and *no Administrator * rights are required.

Follow the instruction till "Run" block.

After running sudo ./wsl-vpnkit WSL2 can use network with AnyConnect VPN on.

https://github.com/sakai135/wsl-vpnkit

[IgalOre]

I do confirm that only solution that had worked in the end were explained in https://github.com/sakai135/wsl-vpnkit. Excellent explanation, glad that found it.

[Celshade]

#2529 (comment) was the method that worked for me - confirmed on two completely different machines

[konradsoares]

Fixed my problem checking Allow local (Lan) access and adding the result of the command bellow in the /etc/resolv.conf nameservers
Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandProperty ServerAddresses

[OneBlue]

VPN / connectivity
Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve compatibility with VPN's.

If the issue still remains, please reopen this issue.