Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
0
Replies

Always-On with manual disconnect option - issues

amir.glibic
Level 1
Level 1

‎08-07-2020 07:00 AM

Hi,

 

we're currently deploying a VPN profile customized for a customer, but we are facing some issues there.

The customer wants to have following behavior:

 

1) Seamless automatic VPN-connection at startup (always-on profile with machine-cert auth)

2) Users should be able to manually disconnect (e.g. to access a local resource)

3) When finished and connecting again, the connection should again happen without interaction (machine-cert)

 

Part 1 and 3 work absolutely fine. The behavior and flow is incredible, miles ahead of any other competitor that I know of.

 

Our only problems occur with the part, where the user can manually disconnect.

This was achieved with the option in the profile "Allow VPN Disconnect" - but:

 

A) In the AC client the info "VPN Connection Required" is shown, and after a certain amount of time, the connection is re-established automatically. So if a user is using e.g. a local RDP-connection, AC reestablishes by itself and since it is a full-tunnel, the RDP connection is dropped. So user needs to disconnect AC again manually and reconnecting to RDP - over and over again every 2-3 minutes. 

Is there any way either to tweak some timer (e.g. to at least an hour), or to completely disable the auto-reconnect, but without having any impact on the initial connection at startup, which is desired and should happen immediately.

 

B) After disconnecting manually, there is an issue with the internet connection.

- Cisco AC NW Adapter is disabled (good)

- IPconfig shows the correct local Wifi Settings (good)

- nslookup is working properly (to the home router IP - good)

- Routing table looks fine (except an explicit host-route to the public IP of the VPN Gateway)

- Windows shows the little yellow triangle with the exclamation mark - no internet connection 

- nslookup cisco.com works / ping cisco.com doesn't work (Ping request could not find host cisco.com. Please check the name and try again.)

- ping to the GW (192.168.0.1) results in a "General failure."

 

The only two solutions that resolve this connection issue are either to reconnect VPN (works properly) or to kill AnyConnect and then to disable/enable the wifi adapter. 

 

For me it's a really strange behavior.

DNS works with nslookup, but pinging that same hostname ends in a DNS error. 

DNS lookup to the router works, but pinging the router doesn't.

Nothing on the internet is reachable, but re-establishing the VPN-connection to the GW via internet works.

 

Do you guys have any idea if this issue can be resolved?

 

Thanks in advance!

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents