ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2351
Views
0
Helpful
15
Replies
Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

Wanted to share a issue I have been working on with the new release of iOS6.  Not looking to get configuration support, just sharing the observations.

My issue is Anyconnect clients that are on iOS6 fail to use Internal DNS servers.  After a few hours of testing, I have come to the point that I feel the issue is in the client OS.   The end user affect is that if you have a SSL session established the end client can not resolve internal DNS address.  Input of the IP directly works, and captures from the ASA show the Client asking and getting a response from the correct DNS server.

Downgrade from iOS6 to lower version the problem goes away.  Upgrade back to iOS6 the problem returns.

Affected testing versions.

Anyconnect Client 2.5.5130

Apple iOS5.4 and iOS6.

ASA 8.4(3)8

CVN

Everyone's tags (2)
15 REPLIES 15
Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

Same issue here. You should also try testing with "Scany" from the iTunes store. I can ping hosts by name in "Scany". However can not contact hosts through iOS 6 via FQDN. We are using Anyconnect to secure connecting to our Lotus Domino servers for email.

Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

Just out of curiosity, are the symptoms with split tunneling or with tunnel everything policies?

Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

Petteri:

In all my testing the tunnel was configured with split tunneling.  I opened a support case with Cisco to confirm that I did not have some issue.  After a about half an hour the engineer asked if I could test with an iOS device without version 6.  As it worked he was satisfied that the configuration was sound.  Suggested I not use iOS6 devices.  This is problematic, as last I checked there was no down grade for my new executive type folks with there shinny new iPhone5's to iOS 5ish.

I will say that as far as I have tested, this indeed looks to be an issue with Apple's first release of 6.  I hope that after a few weeks that a fix will be realized via an iOS update.

My plan B is to give the boss types my iPhone4 and just not VPN with my shinny new iPhone5!...it could happen......

CVN

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

In my case this only happens when I am connected to the cell carrier network which is Verizon in my case, either on my iPad 2 or iPhone 5 with iOS 6. When I am connected via wifi the vpn is fine. Also note that sometimes the vpn works just fine on Verizon, almost like it depends on what cell tower I am connected too, the tower next to work doesnt work, the one next to my home works fine most of the time.. Its a very strange problem. I have also noticed that Verizon hands out the wrong subnet mask of 255.255.255.255 on the carriers ip scheme. If you go into the Anyconnect app, under Diagnostics, then system info. My "Cellular Data" looks like this. IPv4 Address 10.184.19x.xx IPv4 Subnet mask 255.255.255.255... DNS servers are my internal ones of 10.3.3.xx and 10.3.3.xx..

Then if I goto http://www.ipchicken.com to check what my external ip is, it's completely different. My external ip is 70.194.13x.xxx

I am also using split tunneling too. Also note that this only affects data that is using the iOS 6 interface, meaning I can use the "Scany" app to ping clients through the VPN just fine. DNS works in that application. So I am assuming that application is using it's own interface? and not relying on the iOS 6 interface? Again very strange problem to have and diagnose the issue.

Message was edited by: Aaron Tyson

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

For me the iOS6 and the lates AC for iOS has been working mostly fine. Mostly because with the test profile I have been using I noticed some strange behavior caused by the fact how the iOS6 checks the network connectivity,

http://appleinsider.com/articles/12/09/19/some_ios_6_users_reportedly_suffering_from_wi_fi_issues, and the fact that I also had a proxy/content filter configured for my test profile. I have enabled roaming between 3G/WiFi and cert based authentication so this was mostly just annoying.

However this could be something to check? As well as the proxy settings you might get with the AC. I'll try to find some further details about the "network check" iOS6 has as I would like to know if that check could be "faked". With a proxy that should be quite trivial in fact.

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

m'kay. So the page iOS6 uses to test if it is behind a captive portal or if there is no network connectivity at all is

http://www.apple.com/library/test/success.html

I think I'll play with some two way URL rewrites tomorrow in our proxy and see what happens...

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

I would like to make sure I was clear.  My issues where not with the unit checking to see if access to the intardnet was working or not.  The issue was more that if a hostname or FQDN name on the tunneled side of the VPN was requested by the end device while a VPN session was up it did work.  In affect the end node would query the internal DNS and the DNS would respond.  Then the client promptly did not use this information and would send the request out via the CELL network to the public Internet.  This did not happen if I was on WIFI with the same node.  This also did NOT happen on older apple iOS code versions.

I had read about the new features with the portal checking "features". This is the base issue that got apple in the network spotlight right off the bat with issues on there side.  They reach out to a public apple website site to see if things are working, that was down....So the end node reported that there was no intardnet.

Sounds like you are dealing with another issue.  Best of luck on your adventure.

CVN

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

After further testing I am convinced that this is an iOS 6 issue AND cell carrier issue. Simply because I can connect to my wifi router from home going through Comcast just fine. To me it seems like a subnet / DNS / split tunnel issue. Also I am using certificates to authenticate the ssl vpn tunnel. I just wish I could have more log data from the iOS side of this issue to verify the problem. Anyone know how to view logs in iOS 6?

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

I have a client who's experiencing the same issue. It doesn't look like the device is using AnyConnect-supplied DNS servers. This appears to only happen on 3G, as I don't have this issue on WiFi (tested from a couple different WiFi locations)

They are not using split-tunnels (all traffic is sent over the VPN).

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

Tonight Apple released an iOS update. This update did not reslove the issues we are expeirencing here with the client device not reclieving proper DNS traffic when you are connected through your cell carrier. If you are on wifi via comcast as an example the client works fine.

Another thing you should check on the Anyconnect app is this. Goto the diagnostics tab, then system information. Notice the cellular data ipaddress and subnet mask is different from what your real exteranl ipaddress is. That 10.x.x.x is a private ip range and either the anyconnect software or the ASA is blocking those private ip? Again I am simply guessing here also because the vpn tunnel eventually works some times on the cell carrier connection...

Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

Group:

As of the newest Apple Store client release 3.0.090967(?)bug CSCts89292 was supposed to be fixed.  My testing shows that the issue is still present.  Anyone else agree/disagree?

CVN

Highlighted
Beginner

Re: Anyconnect 2.5.5130 and iOS6

Yes the issue is still there becuase it's an Apple iOS issue and not a Cisco Anyconnect issue.

!!!UPDATE!!!

Apple DOES have a fix for it in a BETA of 6.0.x. However, it has NOT been released as of yet.

Read more here.

https://discussions.apple.com/thread/4312913?start=0&tstart=0

http://wiki.strongswan.org/issues/264

==

Message was edited by: Aaron Tyson

Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

It does actually appear to solve the problem for me. I think there are actually two related problems, and this update only solves one of them...

Highlighted
Beginner

Anyconnect 2.5.5130 and iOS6

Looks like for the rest of us we will have to wait for iOS 6.1 not 6.0.x ..